Bug 1571848 - The conditional check ''Active: active' in service_iptables_status.stdout'
Summary: The conditional check ''Active: active' in service_iptables_status.stdout'
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OKD
Classification: Red Hat
Component: Installer
Version: 3.x
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-25 14:13 UTC by Alexey Shcherbakov
Modified: 2018-04-26 14:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) # rpm -qa | grep ansible openshift-ansible-docs-3.9.0-0.53.0.git.1.af49d87.el7.noarch ansible-2.5.1-1.el7.noarch openshift-ansible-playbooks-3.9.0-0.53.0.git.1.af49d87.el7.noarch openshift-ansible-3.9.0-0.53.0.git.1.af49d87.el7.noarch openshift-ansible-roles-3.9.0-0.53.0.git.1.af49d87.el7.noarch
Last Closed: 2018-04-26 14:45:39 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Alexey Shcherbakov 2018-04-25 14:13:09 UTC
Description of problem:

When i run ansible-playbook for upgrade cluster from 3.7 to 3.9 , recieved error: 

# ansible-playbook --check -i /etc/ansible/hosts-concept /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade.yml

...

TASK [Set fact os_firewall_use_firewalld FALSE for iptables] **************************************************************************************************************************************************
fatal: [ocp1.avp.ru]: FAILED! => {"msg": "The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Set fact os_firewall_use_firewalld FALSE for iptables\n    ^ here\n"}
fatal: [ocp2.avp.ru]: FAILED! => {"msg": "The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Set fact os_firewall_use_firewalld FALSE for iptables\n    ^ here\n"}
fatal: [ocp3.avp.ru]: FAILED! => {"msg": "The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Set fact os_firewall_use_firewalld FALSE for iptables\n    ^ here\n"}
	to retry, use: --limit @/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade.retry

PLAY RECAP ****************************************************************************************************************************************************************************************************
localhost                  : ok=12   changed=0    unreachable=0    failed=0   
ocp1.avp.ru                : ok=23   changed=1    unreachable=0    failed=1   
ocp2.avp.ru                : ok=21   changed=1    unreachable=0    failed=1   
ocp3.avp.ru                : ok=21   changed=1    unreachable=0    failed=1   



Failure summary:


  1. Hosts:    ocp1.avp.ru, ocp2.avp.ru, ocp3.avp.ru
     Play:     Ensure firewall is not switched during upgrade
     Task:     Set fact os_firewall_use_firewalld FALSE for iptables
     Message:  The conditional check ''Active: active' in service_iptables_status.stdout' failed. The error was: error while evaluating conditional ('Active: active' in service_iptables_status.stdout): Unable to look up a name or access an attribute in template string ({% if 'Active: active' in service_iptables_status.stdout %} True {% else %} False {% endif %}).
               Make sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable
               
               The error appears to have been in '/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/upgrades/init.yml': line 26, column 5, but may
               be elsewhere in the file depending on the exact syntax problem.
               
               The offending line appears to be:
               
               
                 - name: Set fact os_firewall_use_firewalld FALSE for iptables
                   ^ here



and if run command systemctl status iptables on nodes, then return:


[root@ocp1 ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Ср 2018-04-25 15:08:37 MSK; 2h 1min ago
  Process: 59033 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 59357 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 59357 (code=exited, status=0/SUCCESS)
   Memory: 0B
   CGroup: /system.slice/iptables.service

апр 25 15:08:36 ocp1.avp.ru systemd[1]: Starting IPv4 firewall with iptables...
апр 25 15:08:37 ocp1.avp.ru iptables.init[59357]: iptables: Applying firewall rules: [  OK  ]
апр 25 15:08:37 ocp1.avp.ru systemd[1]: Started IPv4 firewall with iptables.



Need help to resolve this.

Thank you.


Note You need to log in before you can comment on or make changes to this bug.