pulling containers is failing the overcloud deployment
Bug #1803024 reported by
wes hayutin
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tripleo |
Fix Released
|
Critical
|
Alex Schultz | ||
Bug Description
This must be a infra issue, but not quite sure what yet. People need to see this is happening quite a bit so adding the alert tag and passing to ruck/rovers. It would be great if we could get a checked in elastic-recheck query checked in.
| Changed in tripleo: | |
| milestone: | none → stein-2 |
Revision history for this message
| Alex Schultz (alex-schultz) wrote | #1 |
Download full text (9.2 KiB)
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Related fix proposed to tripleo-heat-templates (master) | #2 |
Revision history for this message
| chandan kumar (chkumar246) wrote | #3 |
| Changed in tripleo: | |
| status: | Triaged → Fix Released |
| Changed in tripleo: | |
| assignee: | nobody → Alex Schultz (alex-schultz) |
To post a comment you must log in.
I think this might be related to the puppet 5.5.6 update. I'm seeing the iptables rules not being properly applied.
Under puppet 5.5.6 the iptables on the undercloud looks like:
# Generated by iptables-save v1.4.21 on Tue Nov 13 00:53:34 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:68]
:openstack-INPUT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT
-A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh ipv4" -j ACCEPT
-A INPUT -s 198.72.124.180/32 -j ACCEPT
-A INPUT -s 198.72.124.178/32 -j ACCEPT
-A INPUT -j openstack-INPUT
-A INPUT -m state --state NEW -m limit --limit 20/min --limit-burst 15 -m comment --comment "998 log all ipv4" -j LOG
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
-A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-A openstack-INPUT -j REJECT --reject-with icmp-host-
COMMIT
# Completed on Tue Nov 13 00:53:34 2018
But under 4.8.2, it's:
Generated by iptables-save v1.4.21 on Mon Nov 12 19:27:19 2018
*nat
:PREROUTING ACCEPT [2:64]
:INPUT ACCEPT [2:64]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 169.254.169.254/32 -i br-ct...