Fuel for OpenStack

[upgrade] Restarting of iptables after upgrade breakes ports forwarding

Bug #1343216 reported by Artem Panchenko on 2014-07-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	Medium	Evgeniy L	Fuel for OpenStack 5.1

Bug Description

api: '1.0'
astute_sha: 9a74b788be9a7c5682f1c52a892df36e4766ce3f
build_id: 2014-07-16_21-15-18
build_number: '133'
fuellib_sha: 2d1e1369c13bc9771e9473086cb064d257a21fc2
fuelmain_sha: 069686abb90f458f67cfcb4018cacc19971e4b4d
mirantis: 'yes'
nailgun_sha: 1d08d6f80b6514085dd8c0af4d437ef5d37e2802
ostf_sha: 09b6bccf7d476771ac859bb3c76c9ebec9da9e1f
production: docker
release: 5.0.1

Steps to reproduce:

1. Setup Fuel 5.0
2. Upgrade it to 5.0.1 using 'fuel-5.0-upgrade-133-2014-07-16_21-15-18.tar'
3. Check services - everything works fine
4. Restart firewall: service iptables restart

Expected result:

- nothing changed, all services are accessible

Actual:

- some of services became inaccessible

I found out that after upgrade iptables rules stored in /etc/sysconfig/iptables.save wasn't updated (DOCKER chain), but internal IP addresses of containers were changed and new ports redirections were added. I guess we need to execute 'service iptables save' after upgrade (when all containers are running) or perform saving of rules after each container start.

Firewall rules after Fuel upgrade:

http://paste.openstack.org/show/86912/

Tags:

Dmitry Ilyin (idv1985) on 2014-07-17

summary:

- [Fuel Upgrade] Restarting of iptables after upgrade brakes ports
- forwarding
+ [upgrade] Restarting of iptables after upgrade brakes ports forwarding

Vladimir Kuklin (vkuklin) on 2014-07-17

summary:

- [upgrade] Restarting of iptables after upgrade brakes ports forwarding
+ [upgrade] Restarting of iptables after upgrade breakes ports forwarding

Evgeniy L (rustyrobot) on 2014-07-17

tags:

added: upgrade
removed: fuel-upgrade

Revision history for this message

Evgeniy L (rustyrobot) wrote on 2014-07-17:

Reduced priority since it will affect user if he restarts firewall manually.
Also removed from 5.0 release since it is not critical.

no longer affects:

fuel/5.0.x

Dmitry Pyzhov (dpyzhov) on 2014-07-17

no longer affects:

fuel/5.1.x

Revision history for this message

Evgeniy L (rustyrobot) wrote on 2014-07-30:

Moved to 6.0 because of soft code freeze.

Changed in fuel:
milestone:	5.1 → 6.0

Revision history for this message

Evgeniy L (rustyrobot) wrote on 2014-08-28:

I believe it was fixed in this ticket
https://bugs.launchpad.net/fuel/+bug/1349287

Now we save iptables rules after upgrade.
https://review.openstack.org/#/c/116905/1/fuel_upgrade_system/fuel_upgrade/fuel_upgrade/engines/docker_engine.py

Changed in fuel:
status:	Confirmed → Fix Committed
milestone:	6.0 → 5.1
assignee:	Fuel Python Team (fuel-python) → Evgeniy L (rustyrobot)

Revision history for this message

Andrey Sledzinskiy (asledzinskiy) wrote on 2014-09-23:

verified on fuel-5.1-upgrade-11-2014-09-17_21-40-34.tar.lrz

Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.