1406472 – OpenDaylight API service is missing firewall rules

Bug 1406472 - OpenDaylight API service is missing firewall rules

Summary: OpenDaylight API service is missing firewall rules

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z1
Target Release:	10.0 (Newton)
Assignee:	Tim Rozet
QA Contact:	Itzik Brown
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1258832
TreeView+	depends on / blocked

Reported:	2016-12-20 15:53 UTC by Tim Rozet
Modified:	2018-10-18 07:18 UTC (History)
CC List:	6 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-5.2.0-3.el7ost,puppet-tripleo-5.5.0-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:	N/A
Last Closed:	2017-02-01 14:46:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1651476	None	None	None	2016-12-20 15:55:38 UTC
OpenStack gerrit	417013	None	None	None	2017-01-16 17:01:49 UTC
OpenStack gerrit	417015	None	None	None	2017-01-16 17:00:46 UTC
Red Hat Product Errata	RHBA-2017:0234	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 director Bug Fix Advisory	2017-02-01 19:44:43 UTC

Description Tim Rozet 2016-12-20 15:53:06 UTC

Description of problem:
OpenDaylight service is missing firewall rules for its northbound API service (default port 8081). It is also missing the corresponding HA proxy rule. This is because ODL is using the old method for defining an haproxy configuration rather than endpoint. Endpoint automatically creates the firewall entry.

Version-Release number of selected component (if applicable):


How reproducible:
A nonHA deployment will not be affected by the missing rules, however an HA or custom role deployment may encounter problems.

Steps to Reproduce:
1.  Must include tripleo firewall service.
2.  Deploy with custom role with ODL API service on an isolated node
3.


Actual results:
Deployment will fail because ODL OVS service is unable to contact ODL API.

Expected results:
Successful deployment.

Additional info:

Comment 1 Nir Yechiel 2016-12-21 05:51:03 UTC

Change 413205 proposed to master, and will need to be cherry picked to Newton.

Comment 2 Nir Yechiel 2016-12-21 05:57:49 UTC

(In reply to Nir Yechiel from comment #1)
> Change 413205 proposed to master, and will need to be cherry picked to
> Newton.

The correct change ID is 413228.

Comment 3 Tim Rozet 2016-12-22 15:32:30 UTC

Please see the comments in gerrit about whether or not to expose ODL GUI over public network.  Nir, please let me know what you think about this.

Comment 4 Nir Yechiel 2016-12-22 16:32:51 UTC

(In reply to Tim Rozet from comment #3)
> Please see the comments in gerrit about whether or not to expose ODL GUI
> over public network.  Nir, please let me know what you think about this.

As discussed let's expose it to the ctrplane network for now. If we will get a concrete customer request we can revisit this in the future.

Thanks,
Nir

Comment 5 Itzik Brown 2017-01-08 07:13:19 UTC

The patch https://review.openstack.org/#/c/417015/ Proposed to Newton.
The other one got merged in Newton.

Comment 11 errata-xmlrpc 2017-02-01 14:46:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0234.html

Note You need to log in before you can comment on or make changes to this bug.