Bug 2272006 - iptables on the undercloud not starting due to neutron rules
Summary: iptables on the undercloud not starting due to neutron rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: tripleo-ansible
Version: 17.1 (Wallaby)
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: z3
: 17.1
Assignee: Luca Miccini
QA Contact: Archana Singh
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-03-28 06:17 UTC by Luca Miccini
Modified: 2024-05-22 20:42 UTC (History)
6 users (show)

Fixed In Version: tripleo-ansible-3.3.1-17.1.20231101230829.el9ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-05-22 20:42:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-31774 0 None None None 2024-03-28 06:21:56 UTC
Red Hat Product Errata RHSA-2024:2736 0 None None None 2024-05-22 20:42:58 UTC

Description Luca Miccini 2024-03-28 06:17:08 UTC 
This bug was initially created as a copy of Bug #2264884

I am copying this bug because: 

with rhbz#2264884 we addressed the overcloud side, this bz is targeting the undercloud.

Description of problem:

After upgrading from RHOSP 16.2.4 to 17.1.2 iptables do not start automatically on the undercloud after reboot.
Iptables service is not starting due to presence of neutron rules in startup config.

Version-Release number of selected component (if applicable):

RHOSP 17.1
tripleo-ansible-3.3.1-17.1.20231101230827.el9ost
Comment 2 Luca Miccini 2024-03-28 06:20:29 UTC 
undercloud /etc/sysconfig/iptables still contains lines like:

-A neutron-openvswi-FORWARD -m physdev --physdev-out tape44bd7aa-b1 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-openvswi-FORWARD -m physdev --physdev-in tape44bd7aa-b1 --physdev-is-bridged -m comment --comment "Accept all packets when port is trusted." -j ACCEPT
-A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP


in tripleo_firewall we have these tasks:

    - name: Find non-persistent rules
      shell: grep -El 'comment.*(neutron-|ironic-inspector)' /etc/sysconfig/iptables* /etc/sysconfig/ip6tables*
      failed_when: false
      changed_when: false
      register: neutron_rules

    - name: Remove non-persistent line(s)
      lineinfile:
        path: "{{ item }}"
        state: absent
        regexp: '^((?!.*comment)(?=.*(ironic-inspector|neutron-)))'
      when:
        - not ansible_check_mode|bool
        - item.find('v=' ~ '^/') == -1
      loop: "{{ neutron_rules.stdout_lines }}"

unfortunately these only catch the rules with comments, so we either need to relax the regexes like:

shell: grep -El '*(neutron-|ironic-inspector)' /root/iptables*
regexp: '(?=.*(ironic-inspector|neutron-))' 

or add additional tasks that only remove the aforementioned entries.
Comment 4 Luca Miccini 2024-03-28 10:44:02 UTC 
workaround:

sudo sed -i '/neutron-openvswi/d' /etc/sysconfig/iptables; sudo systemctl restart iptables
Comment 18 errata-xmlrpc 2024-05-22 20:42:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openstack-tripleo-heat-templates and tripleo-ansible update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:2736
Note You need to log in before you can comment on or make changes to this bug.