1391860 – Redis replication is broken due to missing firewall rule on controller nodes

Bug 1391860 - Redis replication is broken due to missing firewall rule on controller nodes

Summary: Redis replication is broken due to missing firewall rule on controller nodes

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	10.0 (Newton)
Assignee:	Angus Thomas
QA Contact:	Omri Hochman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1387290
TreeView+	depends on / blocked

Reported:	2016-11-04 09:23 UTC by Marius Cornea
Modified:	2016-12-14 16:29 UTC (History)
CC List:	13 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-5.0.0-1.4.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-14 16:29:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	393318	0	'None'	MERGED	Include redis/mongo hiera when using pacemaker	2021-02-01 22:58:11 UTC
Red Hat Product Errata	RHEA-2016:2948	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC

Description Marius Cornea 2016-11-04 09:23:31 UTC

Description of problem:
Redis replication is broken due to missing firewall rule on controller nodes.

/var/log/redis/redis.log:
10987:S 04 Nov 09:20:17.778 * Connecting to MASTER overcloud-controller-0:6379
10987:S 04 Nov 09:20:17.778 * MASTER <-> SLAVE sync started
10987:S 04 Nov 09:20:17.778 # Error condition on socket for SYNC: No route to host

Workaround:
iptables -I INPUT -p tcp -m multiport --dports 6379 -m comment --comment "redis" -m state --state NEW -j ACCEPT

on controller nodes

Replication succeeds after running this.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-1.2.el7ost.noarch

How reproducible:
100%

Comment 1 Pradeep Kilambi 2016-11-04 12:30:24 UTC

hmm we already have the firewall rule in the service templates:

https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/database/redis.yaml#L38-L42


are you sure you have the right code?

Comment 2 Dan Prince 2016-11-04 12:39:56 UTC

I think this might have been fixed by upstream http://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3fa2ab420c2ba354fd709857e1ceaacf36a0f1b5

Perhaps we simply need to backport this fix to newton?

Comment 3 Pradeep Kilambi 2016-11-04 12:52:59 UTC

 backport proposed already -> https://review.openstack.org/#/c/393318/

moving to on_dev

Comment 6 Marian Krcmarik 2016-11-09 13:46:34 UTC

Verified
$ sudo iptables -L -n | grep 6379
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6379,26379 /* 108 redis */ state NEW

Comment 9 errata-xmlrpc 2016-12-14 16:29:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.