Bug 1507910 - docker clustercheck service overrides docker mysql firewall rules
Summary: docker clustercheck service overrides docker mysql firewall rules
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 12.0 (Pike)
Hardware: All
OS: Linux
Target Milestone: rc
: 12.0 (Pike)
Assignee: Michele Baldessari
QA Contact: Marian Krcmarik
: 1502799 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2017-10-31 12:28 UTC by Michele Baldessari
Modified: 2019-12-29 15:49 UTC (History)
6 users (show)

Fixed In Version: openstack-tripleo-heat-templates-7.0.3-4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-12-13 22:19:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Launchpad 1728918 0 None None None 2017-10-31 12:28:40 UTC
OpenStack gerrit 517576 0 'None' MERGED Fix iptables rules override bug in clustercheck docker service 2020-07-09 08:45:03 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Description Michele Baldessari 2017-10-31 12:28:41 UTC
Description of problem:
Composable-HA deployments with separate DB role are currently broken (depending on the services ordering in the roles file).

When deploying a composable HA overcloud with a database role split off to separate nodes we could observe a deployment failure due to galera never starting up properly.

The reason for this was that instead of having the firewall rules for the galera bundle applied (i.e. those with the extra control-port for the bundle), we would see the firewall rules for the BM galera service. E.g. we would see the following on the host:
tripleo.mysql.firewall_rules: {
  104 mysql galera: {
    dport: [ 873, 3306, 4444, 4567, 4568, 9200 ]

Instead of the correct mysq bundle firewall rules:
  104 mysql galera-bundle:
    dport: [ 873, 3123, 3306, 4444, 4567, 4568, 9200 ]

The reason for this is the following piece of code in https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/clustercheck.yaml#L62:
    type: ../../../puppet/services/pacemaker/database/mysql.yaml
      EndpointMap: {get_param: EndpointMap}
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

    description: Containerized service clustercheck using composable services.
      service_name: clustercheck
      config_settings: {get_attr: [MysqlPuppetBase, role_data, config_settings]}
logging_source: {get_attr: [MysqlPuppetBase, role_data, logging_source]}

Depending on the ordering of the clustercheck service within the role (before or after the mysql service), the above code will override the tripleo.mysql.firewall_rules with the wrong rules.

Comment 2 Marian Krcmarik 2017-10-31 13:46:11 UTC
*** Bug 1502799 has been marked as a duplicate of this bug. ***

Comment 8 errata-xmlrpc 2017-12-13 22:19:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.