2120474 – Handle multiple internal subnets when adding iptable rules for SSL/TLS connection in the OVN multi-active cluster role

Bug 2120474 - Handle multiple internal subnets when adding iptable rules for SSL/TLS connection in the OVN multi-active cluster role

Summary: Handle multiple internal subnets when adding iptable rules for SSL/TLS connec...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ga
Target Release:	17.0
Assignee:	OSP Team
QA Contact:	Maor
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	2123166 2123404 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-08-23 03:29 UTC by Miro Tomaska
Modified:	2022-09-28 09:11 UTC (History)
CC List:	17 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-0.20220719171727.feca772.el9ost
Doc Type:	Bug Fix
Doc Text:	This update fixes a bug that caused blockage of OVS databases on Spine/Leaf and Distributed Compute Node/edge deployments when mulliptle OVN service firwall rules for routed subnets were merged.
Clone Of:
Environment:
Last Closed:	2022-09-21 12:24:47 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	854306	None	master: MERGED	tripleo-heat-templates: Fix merge of multiple firewall rules (I7ae92da25940f04ec91ad63c93c869b9a314df3b)	2022-09-01 11:36:41 UTC
OpenStack gerrit	855135	None	stable/wallaby: MERGED	tripleo-heat-templates: Fix merge of multiple firewall rules (I7ae92da25940f04ec91ad63c93c869b9a314df3b)	2022-09-01 11:36:48 UTC
Red Hat Issue Tracker	OSP-18320	None	None	None	2022-08-23 03:37:53 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:25:01 UTC

Description Miro Tomaska 2022-08-23 03:29:47 UTC

Background:
This bug was discovered while validating BZ2114617 in conjunction with additional patches:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/851889/
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/853101/

See BZ2114617comment13:
https://bugzilla.redhat.com/show_bug.cgi?id=2114617#c13


Description of problem:
It looks like THT for ovn-dbs-cluster-ansible.yaml[1] does not handle creating ip rules when there are multiple subnets defined in a network data yaml, e.i. [2]. We only create iptable rule for one subnet but not all. This results in traffic block for the subnets that are not defined (we block all by default for TLS/SSL environments)

[1] https://code.engineering.redhat.com/gerrit/c/openstack-tripleo-heat-templates/+/425236/3/deployment/ovn/ovn-dbs-cluster-ansible.yaml#96
[2] https://code.engineering.redhat.com/gerrit/plugins/gitiles/rhos-infrared/+/refs/heads/master/settings/installer/ospd/deployment/edge/osp-17-spine-leaf-ovn-dmbs-ipv6/central/network/network_data_v2.yaml#77

Comment 7 Jason Paroly 2022-09-09 14:34:36 UTC

*** Bug 2123404 has been marked as a duplicate of this bug. ***

Comment 9 Jason Paroly 2022-09-09 20:20:08 UTC

*** Bug 2123166 has been marked as a duplicate of this bug. ***

Comment 15 errata-xmlrpc 2022-09-21 12:24:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.