Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1087173

Summary: Gluster module (purpleidea) blocks unless firewall stopped with no errors reported
Product: [Community] GlusterFS Reporter: Gilles Dubreuil <gdubreui>
Component: puppet-glusterAssignee: James (purpleidea) <jshubin>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: mainlineCC: gdubreui, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-14 16:19:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gilles Dubreuil 2014-04-14 05:48:50 UTC 
glusterfs volumes are not created when using non puppetdb approach, with no error message propagated.

Running puppet agent in debug mode shows the script files used to create the corresponding glusterfs volume.

For instance:
------------------------
Debug: /File[/var/lib/puppet/tmp/gluster/volume/create-cinder.sh
------------------------

Running the file manually shows it cannot connect to glusterfs peers:
------------------------
[root@f1-glu1 ~]# /usr/sbin/gluster volume create cinder replica 2 transport tcp f1-glu1.os.tst:/cinder/cinder f1-glu2.os.tst:/cinder/cinder f1-glu3.os.tst:/cinder/cinder f1-glu1.os.tst:/glance/cinder f1-glu2.os.tst:/glance/cinder f1-glu3.os.tst:/glance/cinder force 
volume create: cinder: failed: Host f1-glu2.os.tst not connected
------------------------

Stopping the firewall:
------------------------
[root@f1-glu1 ~]#  service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
------------------------

Works around the issue:
------------------------
[root@f1-glu1 ~]# /usr/sbin/gluster volume create cinder replica 2 transport tcp f1-glu1.os.tst:/cinder/cinder f1-glu2.os.tst:/cinder/cinder f1-glu3.os.tst:/cinder/cinder f1-glu1.os.tst:/glance/cinder f1-glu2.os.tst:/glance/cinder f1-glu3.os.tst:/glance/cinder force 
volume create: cinder: success: please start the volume to access data
------------------------
Comment 1 James (purpleidea) 2014-04-14 06:34:02 UTC 
Since you're using shorewall => false, firewall is not managed by Puppet-Gluster.
If you use this feature, Puppet-Gluster ensures that the firewall is in a valid state before the commands that need the appropriate ports open, run.

This is a very good reason to put effort into getting shorewall approved as a Fedora/RHEL package, so that we can benefit from automatic firewalling.

@Gilles:
So my question is, what would you like me to do differently or add? IOW, what is the bug?
Comment 2 Gilles Dubreuil 2014-04-14 12:33:09 UTC 
puppet-gluster handles the firewall via shorewall.

Shorewall is not supported for EPEL6/7/RHEL.
I believe puppet-gluster to handle standard iptables rules as well.

A workaround is for the caller (quickstack) to enable iptables rules:
This Pull Request contains the FW rules:
https://github.com/redhat-openstack/astapor/pull/150/files


@James,

I was going to add the above...

Shorewall would be a good thing to have but there is going to be some momentum if to be moving in.

There is effectively no bug this should be migrated to an RFE.

The above PR does it for Quickstack in the meantime.
So the question is why should the gluster handle it?
Maybe because:
- It's already managing security using shorewall. Iptables is just another interface (so to speak)
- The security model is specific to gluster, i.e number of port punch-holes depending on the number of bricks on each host.
Comment 3 James (purpleidea) 2014-04-14 16:17:31 UTC 
(In reply to Gilles Dubreuil from comment #2)

Hey Gilles. Please don't change the summary (subject) unless it's to correct a typo. This confused the line of thinking in bug (or at least me) and answers to the question from the original bug won't make sense anymore. Please feel to open as many new bugs as you like, however.

I'm changing the subject back...
Comment 4 James (purpleidea) 2014-04-14 16:19:15 UTC 
Closing this particular (original) bug, because it's not a defect of Puppet-Gluster, when it's not managing the firewall.