Description of problem: FFU: post upgrading an environment with ceph osd nodes the controller nodes are missing ceph-mgr required firewall rules After upgrade checking the ceph services related iptables rules on controller nodes: [root@controller-0 heat-admin]# iptables -nL | grep ceph ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6789 /* 110 ceph_mon */ state NEW [root@controller-0 heat-admin]# docker ps | grep ceph ae2d122f614c registry.access.redhat.com/rhceph/rhceph-3-rhel7:latest "/entrypoint.sh" 19 hours ago Up 19 hours ceph-mgr-controller-0 55aad6e09f2a registry.access.redhat.com/rhceph/rhceph-3-rhel7:latest "/entrypoint.sh" 19 hours ago Up 19 hours ceph-mon-controller-0 Expected results: There should be an additional iptables rule installed for the ceph-mgr service allowing access to ports tcp 6800:7300 per https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/ceph-ansible/ceph-mgr.yaml#L59-L62
Looks like none of the Ceph services appear in Heat's list of enabled_services.
By inspecting the Heat stack, I can see CephMgr as one of the deployed stacks and resource-show shows [1] it's correctly mapped to docker/services/ceph-ansible/ceph-mgr.yaml This might be an issue with the templates not refreshing [2] on upgrade. Note that for FFU we explicitly disable Ceph services for the initial stack update [3], then we enable it back as one of the last upgrade steps. 1. http://ix.io/Xtq 2. https://github.com/openstack/tripleo-heat-templates/blob/master/overcloud.j2.yaml#L450-L460 3. https://github.com/openstack/tripleo-heat-templates/blob/master/environments/fast-forward-upgrade.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086