Description of problem: FFU: ironic-inspector firewall rule is missing on the undercloud after upgrade. Version-Release number of selected component (if applicable): instack-undercloud-8.4.1-4.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Deploy OSP10 2. Upgrade to OSP13 via fast forward upgrade procedure 3. Check iptables rules on the undercloud Actual results: No rule allowing connections to tcp port 5050: (undercloud) [stack@undercloud-0 ~]$ sudo iptables -nL | grep 5050 (undercloud) [stack@undercloud-0 ~]$ sudo grep 5050 /etc/sysconfig/iptables (undercloud) [stack@undercloud-0 ~]$ sudo grep ironic /etc/sysconfig/iptables -A INPUT -p tcp -m multiport --dports 6385,13385 -m comment --comment "135 ironic ipv4" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 6385,13385 -m comment --comment "135 ironic ipv4" -m state --state NEW -j ACCEPT Expected results: An iptables rule allowing connection to tcp port 5050 is present. Additional info: Any introspection attempts post upgrade fail because the nodes cannot reach the undercloud on port 5050.
Wokraround: add the rule manually by: sudo iptables -I INPUT -p tcp -m multiport --dports 5050 -m state --state NEW -m comment --comment "137 ironic-inspector ipv4" -j ACCEPT
Created attachment 1435110 [details] undercloud upgrade logs Attaching undercloud upgrade outputs.
Created attachment 1435125 [details] /etc/puppet/hieradata/puppet-stack-config.yaml Attaching /etc/puppet/hieradata/puppet-stack-config.yaml
Created attachment 1435126 [details] iptables /etc/sysconfig/iptables
I was not able to reproduce this using upstream bits. Are we consistently seeing this downstream?
(In reply to Harald Jensås from comment #6) > I was not able to reproduce this using upstream bits. > Are we consistently seeing this downstream? Yes, on an environment upgraded yesterday: [stack@undercloud-0 ~]$ sudo grep 5050 /etc/sysconfig/iptables [stack@undercloud-0 ~]$ sudo iptables -nL | grep 5050 [stack@undercloud-0 ~]$
Marius - next time you upgrade, can you check that rule before and after 11 upgrade, after 12 upgrade etc. so we can see if its getting dropped prior to 13 upgrade?
(In reply to Bob Fournier from comment #8) > Marius - next time you upgrade, can you check that rule before and after 11 > upgrade, after 12 upgrade etc. so we can see if its getting dropped prior to > 13 upgrade? After upgrade to OSP12: [root@undercloud-0 stack]# grep 5050 /etc/sysconfig/iptables -A INPUT -p tcp -m multiport --dports 5050 -m comment --comment "137 ironic-inspector ipv4" -m state --state NEW -j ACCEPT [root@undercloud-0 stack]# iptables -nL | grep 5050 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5050 /* 137 ironic-inspector ipv4 */ state NEW After upgrade to OSP13: [root@undercloud-0 stack]# grep 5050 /etc/sysconfig/iptables [root@undercloud-0 stack]# iptables -nL | grep 5050 [root@undercloud-0 stack]#
I have tried to reproduce the issue. However, I see the port on all release. I also got confirmation from Bob Fournier who cannot reproduce the bug either. Feel free to open it when issue appears again.