Description of problem:
FFU: post upgrading an environment with ceph osd nodes the controller nodes are missing ceph-mgr required firewall rules
After upgrade checking the ceph services related iptables rules on controller nodes:
[root@controller-0 heat-admin]# iptables -nL | grep ceph
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6789 /* 110 ceph_mon */ state NEW
[root@controller-0 heat-admin]# docker ps | grep ceph
ae2d122f614c registry.access.redhat.com/rhceph/rhceph-3-rhel7:latest "/entrypoint.sh" 19 hours ago Up 19 hours ceph-mgr-controller-0
55aad6e09f2a registry.access.redhat.com/rhceph/rhceph-3-rhel7:latest "/entrypoint.sh" 19 hours ago Up 19 hours ceph-mon-controller-0
There should be an additional iptables rule installed for the ceph-mgr service allowing access to ports tcp 6800:7300 per https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/ceph-ansible/ceph-mgr.yaml#L59-L62
Looks like none of the Ceph services appear in Heat's list of enabled_services.
By inspecting the Heat stack, I can see CephMgr as one of the deployed stacks and resource-show shows  it's correctly mapped to docker/services/ceph-ansible/ceph-mgr.yaml
This might be an issue with the templates not refreshing  on upgrade.
Note that for FFU we explicitly disable Ceph services for the initial stack update , then we enable it back as one of the last upgrade steps.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.