Bug 1999562 - ceph ssl radosgw port is closed for tempest (undercloud node)
Summary: ceph ssl radosgw port is closed for tempest (undercloud node)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 17.0
Assignee: Giulio Fidente
QA Contact: Attila Fazekas
URL:
Whiteboard:
Depends On:
Blocks: 2000582
TreeView+ depends on / blocked
 
Reported: 2021-08-31 10:44 UTC by Attila Fazekas
Modified: 2022-09-21 12:16 UTC (History)
3 users (show)

Fixed In Version: openstack-tripleo-heat-templates-14.3.1-0.20210912021828.e7f8587.el8ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 2000582 (view as bug list)
Environment:
Last Closed: 2022-09-21 12:16:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1942198 0 None None None 2021-08-31 11:22:31 UTC
OpenStack gerrit 806727 0 None None None 2021-09-01 11:26:42 UTC
OpenStack gerrit 806733 0 None None None 2021-09-01 11:26:08 UTC
Red Hat Issue Tracker OSP-8005 0 None None None 2021-11-15 12:54:50 UTC
Red Hat Product Errata RHEA-2022:6543 0 None None None 2022-09-21 12:16:56 UTC

Description Attila Fazekas 2021-08-31 10:44:29 UTC 
When ssl setup is requested with ceph object storage the firewall on the controller node does not opens the public ssl port for consumption from the undercloud (or other node).

Workaround:
[heat-admin@controller-0 ~]$ sudo iptables -I INPUT 12 -p tcp -m tcp --dport 13808 -m comment --comment "122X ceph rgw ipv4 ssl" -j ACCEPT

Addition info:
The internal is defined without ssl.

| swift     | object-store   | regionOne                                                                          |
|           |                |   internal: http://172.17.3.35:8080/swift/v1/AUTH_ffbfeac65be8408db5492888fd7ec4b5 |
|           |                | regionOne                                                                          |
|           |                |   admin: http://172.17.3.35:8080/swift/v1/AUTH_ffbfeac65be8408db5492888fd7ec4b5    |
|           |                | regionOne                                                                          |
|           |                |   public: https://10.0.0.124:13808/swift/v1/AUTH_ffbfeac65be8408db5492888fd7ec4b5  |
|           |                |                                                                                    |

The internal port is exposed by:
-A INPUT -p tcp -m tcp --dport 8080 -m conntrack --ctstate NEW -m comment --comment "122 ceph rgw ipv4" -j ACCEPT


Probably the public rgw port should be exposed on the firewall instead of the internal.

openstack-tripleo-heat-templates-14.2.1-0.20210809091810.185a41c.el8ost.noarch
Comment 10 errata-xmlrpc 2022-09-21 12:16:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Note You need to log in before you can comment on or make changes to this bug.