1571840 – Attempting to use iptables with ipv6 address/prefix

Bug 1571840 - Attempting to use iptables with ipv6 address/prefix

Summary: Attempting to use iptables with ipv6 address/prefix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-tripleo
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z8
Target Release:	10.0 (Newton)
Assignee:	Emilien Macchi
QA Contact:	Filip Hubík
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1569972 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-25 13:52 UTC by Attila Fazekas
Modified:	2022-07-09 09:45 UTC (History)
CC List:	9 users (show)
Fixed In Version:	puppet-tripleo-5.6.8-2.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-05-17 15:42:06 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	564250	None	None	None	2018-04-25 15:21:04 UTC
Red Hat Issue Tracker	OSP-16927	None	None	None	2022-07-09 09:45:43 UTC
Red Hat Product Errata	RHSA-2018:1593	None	None	None	2018-05-17 15:42:19 UTC

Description Attila Fazekas 2018-04-25 13:52:16 UTC

Description of problem:

In the ipv6 setups tripleo tries to use iptables for ipv6 rules,
but for ipv6 rules we need to use ip6tables. (snmp/161)


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates.noarch
                                 5.3.10-1.el7ost  
openstack-tripleo-puppet-elements.noarch
                                 5.3.3-2.el7ost 

puppet-tripleo.noarch            5.6.8-1.el7ost 


Failure:

 Error: /Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[snmp]/Tripleo::Firewall::Rule[124 snmp]/Firewall[124 snmp]/ensure: change from absent to present failed: Execution of '/usr/sbin/iptables -I INPUT 7 -t filter -s fd00:fd00:fd00:2000::/64 -p udp -m multiport --dports 161 -m comment --comment 124 snmp -m state --state NEW -j ACCEPT' returned 2: iptables v1.4.21: invalid mask `64' specified

Comment 4 Filip Hubík 2018-04-26 12:32:25 UTC

Successfully workarounded this problem using file /usr/share/openstack-puppet/modules/tripleo/manifests/firewall/rule.pp patched to f6d398a7da in overcloud-full.qcow2 as per https://review.openstack.org/#/c/564250, reuploaded to glance and redeployed OC, ipv6-enabled deployment is able to pass now without "invalid mask `64' specified" issue.

Comment 6 Alex Schultz 2018-04-27 14:53:03 UTC

*** Bug 1569972 has been marked as a duplicate of this bug. ***

Comment 10 Filip Hubík 2018-04-30 10:21:01 UTC

Verified by CI, since package puppet-tripleo-5.6.8-2.el7ost is present on controllers and compute nodes and OC deployment passes without error (puddle 2018-04-27.2).

Comment 14 errata-xmlrpc 2018-05-17 15:42:06 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1593

Note You need to log in before you can comment on or make changes to this bug.