Description of problem: In the ipv6 setups tripleo tries to use iptables for ipv6 rules, but for ipv6 rules we need to use ip6tables. (snmp/161) Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates.noarch 5.3.10-1.el7ost openstack-tripleo-puppet-elements.noarch 5.3.3-2.el7ost puppet-tripleo.noarch 5.6.8-1.el7ost Failure: Error: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[snmp]/Tripleo::Firewall::Rule[124 snmp]/Firewall[124 snmp]/ensure: change from absent to present failed: Execution of '/usr/sbin/iptables -I INPUT 7 -t filter -s fd00:fd00:fd00:2000::/64 -p udp -m multiport --dports 161 -m comment --comment 124 snmp -m state --state NEW -j ACCEPT' returned 2: iptables v1.4.21: invalid mask `64' specified
Successfully workarounded this problem using file /usr/share/openstack-puppet/modules/tripleo/manifests/firewall/rule.pp patched to f6d398a7da in overcloud-full.qcow2 as per https://review.openstack.org/#/c/564250, reuploaded to glance and redeployed OC, ipv6-enabled deployment is able to pass now without "invalid mask `64' specified" issue.
*** Bug 1569972 has been marked as a duplicate of this bug. ***
Verified by CI, since package puppet-tripleo-5.6.8-2.el7ost is present on controllers and compute nodes and OC deployment passes without error (puddle 2018-04-27.2).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1593