Bug 1286719 - Generation of RHEL6-based Sahara image fails
Generation of RHEL6-based Sahara image fails
Product: Red Hat OpenStack
Classification: Red Hat
Component: sahara-image-elements (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
urgent Severity urgent
: z3
: 7.0 (Kilo)
Assigned To: Elise Gafford
Luigi Toscano
: Regression, ZStream
Depends On: 1286276
  Show dependency treegraph
Reported: 2015-11-30 10:14 EST by Luigi Toscano
Modified: 2015-12-21 12:09 EST (History)
5 users (show)

See Also:
Fixed In Version: sahara-image-elements-2015.1.0-5.el7ost
Doc Type: Bug Fix
Doc Text:
In some base image contexts, iptables is not initialized prior to saving. As a consequence, the "service iptables save" command in the disable-firewall element fails. To fix this problem, the nondestructive "iptables -L" command has been added, which successfully initializes iptables, As a result, image generation now succeeds.
Story Points: ---
Clone Of: 1286276
Last Closed: 2015-12-21 12:09:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2674 normal SHIPPED_LIVE openstack-sahara bug fix advisory 2015-12-21 16:56:27 EST

  None (edit)
Description Luigi Toscano 2015-11-30 10:14:35 EST
+++ This bug was initially created as a clone of Bug #1286276 +++

Description of problem:
The generation of Sahara images fails in this script:
in the 'service iptables save' command, which returns an error, so the sahara-image-create script fails.

Version-Release number of selected component (if applicable):

How reproducible:
sahara-image-create -p hdp -v 2 
sahara-image-create -p cloudera -v 5.4

on a RHEL 6.7 guest image, The script fails in the mentioned script.
I didn't try other plugins but I suspect it's not plugin-related)

Relevant logs:
+ echo dib-run-parts Fri Nov 27 11:53:11 EST 2015 31-disable-ip6tables completed
dib-run-parts Fri Nov 27 11:53:11 EST 2015 31-disable-ip6tables completed
+ for target in '$targets'
+ output 'Running /tmp/in_target.d/post-install.d/32-disable-iptables'
++ date
+ echo dib-run-parts Fri Nov 27 11:53:11 EST 2015 Running /tmp/in_target.d/post-install.d/32-disable-iptables
dib-run-parts Fri Nov 27 11:53:11 EST 2015 Running /tmp/in_target.d/post-install.d/32-disable-iptables
+ target_tag=32-disable-iptables
+ date +%s.%N
+ /tmp/in_target.d/post-install.d/32-disable-iptables
+ set -eu
+ set -o pipefail
+ case "$DISTRO_NAME" in
+ case "${DISTRO_NAME}" in
+ which service
+ service iptables save
iptables: Nothing to save.ESC[60G[ESC[0;33mWARNINGESC[0;39m]
++ check_break after-error run_in_target bash
++ echo ''
++ egrep -e '(,|^)after-error(,|$)' -q
+ trap_cleanup
+ exitval=6
+ cleanup
+ unmount_image
+ sync
+ unmount_dir /tmp/image.ERrwDYwC/mnt
+ local pattern=/tmp/image.ERrwDYwC/mnt mnts=
+ '[' -n /tmp/image.ERrwDYwC/mnt ']'
++ awk '{print $2}'
++ grep '^/tmp/image.ERrwDYwC/mnt'
++ sort -r
+ mnts='/tmp/image.ERrwDYwC/mnt/tmp/yum
+ '[' -n '/tmp/image.ERrwDYwC/mnt/tmp/yum
/tmp/image.ERrwDYwC/mnt/dev' ']'
+ sudo umount -fl /tmp/image.ERrwDYwC/mnt/tmp/yum /tmp/image.ERrwDYwC/mnt/tmp/in_target.d /tmp/image.ERrwDYwC/mnt/tmp/ccache /tmp/image.ERrwDYwC/mnt/sys /tmp/image.ERrwDYwC/mnt/proc /tmp/image.ERrwDYwC/mnt/dev/pts /tmp/image.ERrwDYwC/mnt/dev
+ '[' -n '' ']'
+ cleanup_build_dir
+ sudo rm -rf /tmp/image.ERrwDYwC/built
+ sudo rm -rf /tmp/image.ERrwDYwC/mnt
+ tmpfs_check 0
+ local echo_message=0
+ '[' 0 == 0 ']'
+ '[' -r /proc/meminfo ']'
++ awk '/^MemTotal/ { print $2 }' /proc/meminfo
+ total_kB=1884232
+ '[' 1884232 -lt 4194304 ']'
+ '[' 0 == 1 ']'
+ return 1
+ rm -rf --one-file-system /tmp/image.ERrwDYwC
+ cleanup_image_dir
+ tmpfs_check 0
+ local echo_message=0
+ '[' 0 == 0 ']'
+ '[' -r /proc/meminfo ']'
++ awk '/^MemTotal/ { print $2 }' /proc/meminfo
+ total_kB=1884232
+ '[' 1884232 -lt 4194304 ']'
+ '[' 0 == 1 ']'
+ return 1
+ rm -rf --one-file-system /tmp/image.GySbkqIn
+ exit 6

--- Additional comment from Luigi Toscano on 2015-11-27 12:46:49 EST ---

Forgot to add: running the script on RHEL 7.2.

--- Additional comment from Luigi Toscano on 2015-11-27 13:06:20 EST ---

Note: after further debugging, the warning returned by 
 service iptables save
triggers the failure (thanks to pipefail). The warning itself seems to be related to some missing/not loaded structure in /proc. Running iptables -L before saving is enough to initialize what should be initialized so that the save operation does not fail.
So, to summarize:
- easy hack: add iptables -L &>/dev/null before service iptables save. the generation succeeds.
- do we need to save the tables? We are likely saving the host kernel rules... so maybe better just create an empty file with rules instead.
Comment 1 Luigi Toscano 2015-11-30 10:15:35 EST
So, the bug appears also on the RHEL-OSP7 environment, I guess it's something related to a change in RHEL 7.2 then.
Comment 2 Luigi Toscano 2015-11-30 10:28:34 EST
To be more precise: reproduced with
$ sahara-disk-image-create -p hdp

on RHEL 7.2, package:
Comment 3 Elise Gafford 2015-11-30 17:00:10 EST
This bug is not presently reproducible for me on RHEL 7.2 with any plugin and version combination supported by either of the present packages for RHOS 7 and RHOS 8.

I see """
+ which service
+ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables: ^[[60G[^[[0;32m  OK  ^[[0;39m]^M
+ chkconfig iptables off
which is more to be expected. 

I've tried this on RHEL 7.2, and have also tried limiting the enabled repos to only those required by the installation, in case a repository enabled with my employee sub was providing a corrective package. I'll discuss this with you tomorrow when you're in, and ensure I'm using the precise same host- and guest- level repository sets as you are to attempt to reproduce.
Comment 4 Luigi Toscano 2015-11-30 18:49:03 EST
The host which I used is a guest image (rhel-guest-image) running as instance in an openstack system. 
The instance was originally 7.1 for the RHEL-OSP7 bug; 7.2 for the RHEL-OSP8 version, but both instances have been updated to the latest 7.2.z version.

Maybe something in the way this kind of image boots does not initialize the tables and the first run ever of "save" does not work because of this. As I mentioned, running "iptables -L" at least once makes the error go away, so I suspect it simply initializes/loads what was missing.
Possible tests:
- try a guest image from KVM and from another openstack environment
- try a non guest-image
Comment 6 Luigi Toscano 2015-12-07 07:34:14 EST
With the workaround applied, the images are now properly generated on RHEL 7.2 (both "hdp" and "cloudera").

Comment 8 errata-xmlrpc 2015-12-21 12:09:08 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.