Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1094969

Summary: packstack install fails due to older than expected iptables
Product: Red Hat OpenStack Reporter: Jeff Peeler <jpeeler>
Component: openstack-puppet-modulesAssignee: Martin Magr <mmagr>
Status: CLOSED NOTABUG QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: aortega, derekh, gchamoul, ichavero, jpeeler, majopela, shardy, yeylon
Target Milestone: ---   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-06 07:47:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1096752    
Bug Blocks:    
Attachments:
Description Flags
172.16.12.70_prescript.pp.log none

Description Jeff Peeler 2014-05-06 19:28:11 UTC 
Created attachment 892971 [details]
172.16.12.70_prescript.pp.log

Description of problem:
Packstack fails to install iptables-services when iptables is not updated.

Version-Release number of selected component (if applicable):
openstack-packstack-2014.1.1-0.11.dev1055.el7ost.noarch

How reproducible:
Haven't tried

Steps to Reproduce:
1. Run packstack from RHEL 7 running iptables 1.4.19.1 (packstack --allinone --os-neutron-install=n --provision-demo=y --os-heat-install=y --os-client-install=y --mysql-pw=123456)

Actual results:
ERROR : Error appeared during Puppet run: 172.16.12.70_prescript.pp
Error: Execution of '/usr/bin/yum -d 0 -e 0 -y install iptables-services' returned 1: ERROR with transaction check vs depsolve:
You will find full trace in log /var/tmp/packstack/20140506-145215-AvtRAn/manifests/172.16.12.70_prescript.pp.log

Expected results:
Packstack to complete successfully.

Additional info:
Prescript log attached.
Comment 2 Martin Magr 2014-05-07 08:30:07 UTC 
Submitted patch upstream: https://github.com/puppetlabs/puppetlabs-firewall/pull/355
Comment 3 Martin Magr 2014-05-19 11:41:40 UTC 
*** Bug 1098960 has been marked as a duplicate of this bug. ***
Comment 4 Martin Magr 2014-05-27 12:48:19 UTC 
Implemented workaround until problem with iptables/yum will be resolved.
Comment 5 Ivan Chavero 2014-06-06 15:53:57 UTC 
This issue does not appear when using EPEL.
Comment 6 Martin Magr 2014-06-09 14:07:08 UTC 
EPEL should not be necessary in case of RHEL OSP. Anyway, my workaround patch [1] has been denied because this problem does not happen in most recent RHEL-7. Jeff, can you please try to use most recent RHEL-7 image and let me know is the problem persist?


[1] https://review.openstack.org/#/c/95746/
Comment 7 Gaƫl Chamoulaud 2014-06-13 13:18:47 UTC 
I reproduced it with a RHEL 7.0 GA up2date and the lastest iptables packages.

[root@rhel7 ~]# rpm -q iptables
iptables-1.4.21-13.el7.x86_64

[root@rhel7 init.d]# systemctl status iptables.service -l
iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
   Active: failed (Result: exit-code) since Fri 2014-06-13 08:45:16 EDT; 14min ago
 Main PID: 10387 (code=exited, status=1/FAILURE)
   CGroup: /system.slice/iptables.service

Jun 13 08:45:16 rhel7.example.com iptables.init[10387]: iptables: Applying firewall rules: iptables-restore: line 14 failed
Jun 13 08:45:16 rhel7.example.com iptables.init[10387]: [FAILED]
Jun 13 08:45:16 rhel7.example.com systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
Jun 13 08:45:16 rhel7.example.com systemd[1]: Failed to start IPv4 firewall with iptables.
Jun 13 08:45:16 rhel7.example.com systemd[1]: Unit iptables.service entered failed state.

After a simple iptables restart, packstack is running well!

[root@rhel7 init.d]# systemctl restart iptables.service
[root@rhel7 init.d]# systemctl status iptables.service -l                                          
iptables.service - IPv4 firewall with iptables                                                     
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)                              
   Active: active (exited) since Fri 2014-06-13 09:01:20 EDT; 1min 27s ago                         
 Main PID: 10569 (code=exited, status=0/SUCCESS)                                                   
                                                                                                   
Jun 13 09:01:20 rhel7.example.com systemd[1]: Starting IPv4 firewall with iptables...              
Jun 13 09:01:20 rhel7.example.com iptables.init[10569]: iptables: Applying firewall rules: [  OK  ]
Jun 13 09:01:20 rhel7.example.com systemd[1]: Started IPv4 firewall with iptables.
Comment 11 Jeff Peeler 2014-06-20 19:45:50 UTC 
I checked on a fully up to date RHEL 7 install and the problem does not remain (which is running iptables 1.4.21). I also checked the package manifest for the RHEL 7 image and it also contains iptables 1.4.21, which means that perhaps this bug isn't all that important anymore.

However, that said if you yum downgrade to iptables 1.4.19, which is what I somehow installed when I filed this bug, the error remains. It looks like this pull request never made it in: https://github.com/puppetlabs/puppetlabs-firewall/pull/355. Maybe iptables-services can be made to depend on the correct version of iptables.

This was tested using openstack-packstack-2014.1.1-0.26.dev1157.el7ost.noarch.
Comment 12 Martin Magr 2014-06-24 12:02:26 UTC 
Thanks Jeff, I already filed bug #1096752 for that.
Comment 13 Martin Magr 2014-08-06 07:47:39 UTC 
This is iptables package issue.