Wrong iptables rules for keystone ports
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Fuel for OpenStack |
Fix Released
|
High
|
Aleksandr Didenko | ||
Bug Description
Puppet creates wrong iptables rules for keystone ports, there's only one management network in rule and it's in destination, not in source:
ACCEPT tcp -- 0.0.0.0/0 10.144.2.0/24 multiport ports 5000,35357 /* 102 keystone */
We should change:
firewall {'102 keystone':
port => [$keystone_
proto => 'tcp',
action => 'accept',
destination => get_routable_
}
to
openstack:
port => [$keystone_
proto => 'tcp',
action => 'accept',
source_nets => get_routable_
}
in firewall.pp task, it's the only rule that was improperly converted to get_routable_
Steps to reproduce:
1. Deploy multirack env
2. Check that "102 keystone" iptables rule exist for every management network
| OpenStack Infra (hudson-openstack) wrote Fix proposed to fuel-library (master) | #1 |
| Changed in fuel: | |
| status: | New → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix merged to fuel-library (master) | #2 |
| Changed in fuel: | |
| status: | In Progress → Fix Committed |
| tags: | added: on-verification |
| Tatyanka (tatyana-leontovich) wrote | #3 |
| tags: | removed: on-verification |
| Changed in fuel: | |
| status: | Fix Committed → Fix Released |
Fix proposed to branch: master
Review: https:/