Bug 1156183 - open ceph ports on ceph storage node
Summary: open ceph ports on ceph storage node
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-foreman-installer
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
Target Milestone: z2
: Installer
Assignee: Crag Wolfe
QA Contact: nlevinki
Depends On:
Blocks: 1156184
TreeView+ depends on / blocked
Reported: 2014-10-23 18:21 UTC by Crag Wolfe
Modified: 2014-11-24 03:54 UTC (History)
8 users (show)

Fixed In Version: openstack-foreman-installer-2.0.31-1.el6ost
Doc Type: Bug Fix
Doc Text:
Previously, Ceph ports were not open on the Ceph storage nodes, as a result, Ceph monitors could not write to the Ceph storage nodes even though they were monitoring correctly. With this update, a new puppet class is added, which opens the monitoring ports correctly resulting in the monitors being able to write to the storage nodes.
Clone Of:
: 1156184 (view as bug list)
Last Closed: 2014-11-04 17:03:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1800 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Installer Bug Fix Advisory 2014-11-04 22:00:19 UTC

Description Crag Wolfe 2014-10-23 18:21:33 UTC
Description of problem:

The ceph storage node only includes puppet classes quickstack::ceph::config and quickstack::openstack_common -- osd-related ports are closed.  Therefore, though the ceph-mons may be active and correctly configured on the HA controller, they are unable to write data to the ceph storage node(s).

Comment 2 Crag Wolfe 2014-10-23 18:43:36 UTC
Patch posted: https://github.com/redhat-openstack/astapor/pull/395

Comment 4 Jason Guiditta 2014-10-23 20:45:10 UTC

Comment 9 nlevinki 2014-10-29 12:56:53 UTC
From what I see you opened all tcp ports, see iptables.
Please specify specific ports for ceph mon.
this is a security issue.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6800:6810 /* 001 ceph osd incoming */
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

Comment 10 Mike Orazi 2014-10-29 14:07:22 UTC
The patch referenced above only opens the ACCEPT 6800:6810 tcp ports.

Comment 11 Mike Burns 2014-10-29 22:13:03 UTC
The patch included for this bug added just the first rule in the output which opens 6800:6810

I agree that the open firewall otherwise needs to be fixed, though, so please file a new bz.  

I think, based on the comment, that this can be verified, though, since the right firewall rule is added.

Comment 12 nlevinki 2014-10-30 08:58:12 UTC

Comment 14 errata-xmlrpc 2014-11-04 17:03:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.