Fuel for OpenStack

[swarm] Firewall vulnerability detected. Several unused ports can be accessed on slave.

Bug #1613568 reported by Andrey Lavrentyev on 2016-08-16

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Confirmed	Medium	Fuel QA Team	Fuel for OpenStack 10.0
Mitaka	Invalid	Medium	Fuel QA Team	Fuel for OpenStack 9.2
Newton	Confirmed	Medium	Fuel QA Team	Fuel for OpenStack 10.0

Bug Description

Detailed bug description:
Exception: Firewall vulnerability detected. Unused port 2621/tcp can be accessed on slave-02_compute (node-1) node. Check /var/tmp/iptables_check_file.old and /var/tmp/iptables_check_file.dump files on the node for details

Traceback: http://paste.openstack.org/show/558190/

Swarm failure: https://product-ci.infra.mirantis.net/job/9.x.system_test.ubuntu.thread_1/13/testReport/%28root%29/ha_one_controller_neutron_warm_restart/

Similar issues:
- https://bugs.launchpad.net/fuel/+bug/1524864
- https://bugs.launchpad.net/fuel/+bug/1378745

Steps to reproduce:
Execute '' test with the following steps:
1. Create cluster
2. Add 1 node with controller role
3. Add 1 node with compute role
4. Deploy the cluster
5. Run network verification
6. Run OSTF
7. Warm restart
8. Wait for HA services to be ready
9. Wait for OS services to be ready
10. Wait for Galera is up
11. Verify firewall rules << FAILED HERE
12. Run network verification
13. Run OSTF

Expected results:
Firewall rules verification is a success

Actual result:
Firewall rules verification failure

Impact:
Swarm failure

Description of the environment:
9.1 snapshot #140

MOS_CENTOS_OS_MIRROR_ID: os-2016-06-23-135731
MOS_CENTOS_PROPOSED_MIRROR_ID: proposed-2016-08-15-172323
MOS_CENTOS_UPDATES_MIRROR_ID: updates-2016-06-23-135916
MOS_CENTOS_HOLDBACK_MIRROR_ID: holdback-2016-06-23-140047
MOS_UBUNTU_MIRROR_ID: 9.0-2016-08-15-132321
UBUNTU_MIRROR_ID: ubuntu-2016-08-03-174238
CENTOS_MIRROR_ID: centos-7.2.1511-2016-05-31-083834

Log will be attached as soon as it's available

Tags:

Oleksiy Molchanov (omolchanov) on 2016-08-16

tags:

added: area-library

Revision history for this message

Oleksiy Molchanov (omolchanov) wrote on 2016-08-16:

It is normal behaviour, because you are sending traffic within single VM and it goes through lo.

And we have rule that is accepting all traffic through lo.

Oleksiy Molchanov (omolchanov) on 2016-08-17

tags:

added: area-qa
removed: area-library

Nastya Urlapova (aurlapova) on 2016-10-06

tags:

removed: area-qa

Revision history for this message

Alexey Shtokolov (ashtokolov) wrote on 2016-12-16:

Please check again Oleksiy's comment

tags:	added: area-qa
Changed in fuel:
assignee:	Fuel Sustaining (fuel-sustaining-team) → Fuel QA Team (fuel-qa)

Revision history for this message

Nastya Urlapova (aurlapova) wrote on 2016-12-16:

It is green as 4 weeks in row, moved to invalid https://product-ci.infra.mirantis.net/view/9.x_swarm/job/9.x.system_test.ubuntu.thread_1/152/testReport/(root)/ha_one_controller_neutron_warm_restart/ha_one_controller_neutron_warm_restart/history/

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.