1777140 – Undercloud has iptables rule to allow traffic for horizon, which is not deployed

Bug 1777140 - Undercloud has iptables rule to allow traffic for horizon, which is not deployed

Summary: Undercloud has iptables rule to allow traffic for horizon, which is not deployed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	instack-undercloud
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Takashi Kajinami
QA Contact:	Arik Chernetsky
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-27 02:07 UTC by Takashi Kajinami
Modified:	2023-03-24 16:23 UTC (History)
CC List:	4 users (show)
Fixed In Version:	instack-undercloud-8.4.9-4.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-10 11:23:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1854117	None	None	None	2019-11-27 02:12:21 UTC
OpenStack gerrit	696215	None	MERGED	Remove configuration related to Horizon	2020-04-14 06:47:05 UTC
OpenStack gerrit	699917	None	MERGED	Remove configuration related to Horizon	2020-04-14 06:47:05 UTC
Red Hat Issue Tracker	OSP-23720	None	None	None	2023-03-24 16:23:46 UTC
Red Hat Product Errata	RHBA-2020:0760	None	None	None	2020-03-10 11:23:50 UTC

Description Takashi Kajinami 2019-11-27 02:07:30 UTC

Description of problem:

When we install undercloud by 'openstack undercloud install',
we see that the undercloud node has the following rule in iptables.
~~~
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment "126 horizon ipv4" -j ACCEPT
~~~

However, we don't have Horizon deployed/configured in undercloud node,
which means that this iptables rule is useless.
~~~
[stack@undercloud-0 ~]$ rpm -qa | grep horizon
puppet-horizon-12.4.0-1.el7ost.noarch
[stack@undercloud-0 ~]$ 
~~~

How reproducible:
Always

Steps to Reproduce:
1. Install undercloud 
2. See iptables-save to see configured rules

Actual results:
iptables-save has an ACCEPT rule about tcp/80 and tcp/443, which is used for horizon

Expected results:
iptables-save  doesn't have an ACCEPT rules about tcp/80 and tcp/443, which is used for horizon


Additional info:

Comment 1 Takashi Kajinami 2019-11-27 02:10:12 UTC

I proposed a possible fix[1] for stable/rocky.

[1] https://review.opendev.org/#/c/696215/

However, I'm not sure whether I'm doing the correct thing
because I don't understand the reason why we have horizon configuration there.
(It seems that we had horizon deployed in undercloud node in old releases?)

It would be nice if I can ask eng to have a look about that.

Comment 4 errata-xmlrpc 2020-03-10 11:23:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0760

Note You need to log in before you can comment on or make changes to this bug.