tripleo

iptables rules are missing from haproxy when horizon is split off to separate role

Bug #1808530 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Michele Baldessari
tripleo stein-2

Bug Description

This should have been fixed via:
https://review.openstack.org/#/c/460175/2

where we did:
service_config_settings:
  haproxy:
    tripleo.horizon.firewall_rules:
     '127 horizon':
        dport:
          - 80
          - 443

The problem is that the above does not work. Reason for this is the way tripleo::firewall works.
It will only apply iptables rules for that show up in hiera('service_names'):
    $service_names = hiera('service_names', [])
    tripleo::firewall::service_rules { $service_names: }

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/625258

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/625258
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3114300c9cd922998d426e4d33269a9fc96630c0
Submitter: Zuul
Branch: master

commit 3114300c9cd922998d426e4d33269a9fc96630c0
Author: Michele Baldessari <email address hidden>
Date: Fri Dec 14 14:40:08 2018 +0100

    Fix horizon's iptables rules for haproxy when split off a separate role

    This should have been fixed via:
    https://review.openstack.org/#/c/460175/2

    where we did:
    service_config_settings:
      haproxy:
        tripleo.horizon.firewall_rules:
         '127 horizon':
            dport:
              - 80
              - 443

    The problem is that the above does not work. Reason for this is the way
    tripleo::firewall works. It will only apply iptables rules for that
    show up in hiera('service_names'):
        $service_names = hiera('service_names', [])
        tripleo::firewall::service_rules { $service_names: }

    And since horizon is not in the service running on the haproxy role, the
    above rule would never have been created.

    Tested this change and now I correctly get the iptables rules on the
    haproxy role for horizon:
    [root@overcloud-core-0 ~]# iptables -nvL |grep horizon
        0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */
    [root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
    [root@overcloud-core-0 ~]#

    Closes-Bug: #1808530

    Change-Id: Ia4a795d1a7fb926f5900c739c1932b20d81ed7fc
    Co-Authored-By: Damien Ciabrini <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/625598

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/625600

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.openstack.org/625598
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e770e364fb0840d1f192530af8ec453f118327eb
Submitter: Zuul
Branch: stable/rocky

commit e770e364fb0840d1f192530af8ec453f118327eb
Author: Michele Baldessari <email address hidden>
Date: Fri Dec 14 14:40:08 2018 +0100

    Fix horizon's iptables rules for haproxy when split off a separate role

    This should have been fixed via:
    https://review.openstack.org/#/c/460175/2

    where we did:
    service_config_settings:
      haproxy:
        tripleo.horizon.firewall_rules:
         '127 horizon':
            dport:
              - 80
              - 443

    The problem is that the above does not work. Reason for this is the way
    tripleo::firewall works. It will only apply iptables rules for that
    show up in hiera('service_names'):
        $service_names = hiera('service_names', [])
        tripleo::firewall::service_rules { $service_names: }

    And since horizon is not in the service running on the haproxy role, the
    above rule would never have been created.

    Tested this change and now I correctly get the iptables rules on the
    haproxy role for horizon:
    [root@overcloud-core-0 ~]# iptables -nvL |grep horizon
        0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */
    [root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
    [root@overcloud-core-0 ~]#

    Closes-Bug: #1808530

    Change-Id: Ia4a795d1a7fb926f5900c739c1932b20d81ed7fc
    Co-Authored-By: Damien Ciabrini <email address hidden>
    (cherry picked from commit 3114300c9cd922998d426e4d33269a9fc96630c0)

tags: added: in-stable-rocky
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/625600
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3f8ce6fd96bc4f28a052b4c87a19b4b152734091
Submitter: Zuul
Branch: stable/queens

commit 3f8ce6fd96bc4f28a052b4c87a19b4b152734091
Author: Michele Baldessari <email address hidden>
Date: Fri Dec 14 14:40:08 2018 +0100

    Fix horizon's iptables rules for haproxy when split off a separate role

    This should have been fixed via:
    https://review.openstack.org/#/c/460175/2

    where we did:
    service_config_settings:
      haproxy:
        tripleo.horizon.firewall_rules:
         '127 horizon':
            dport:
              - 80
              - 443

    The problem is that the above does not work. Reason for this is the way
    tripleo::firewall works. It will only apply iptables rules for that
    show up in hiera('service_names'):
        $service_names = hiera('service_names', [])
        tripleo::firewall::service_rules { $service_names: }

    And since horizon is not in the service running on the haproxy role, the
    above rule would never have been created.

    Tested this change and now I correctly get the iptables rules on the
    haproxy role for horizon:
    [root@overcloud-core-0 ~]# iptables -nvL |grep horizon
        0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */
    [root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
    [root@overcloud-core-0 ~]#

    Closes-Bug: #1808530

    Change-Id: Ia4a795d1a7fb926f5900c739c1932b20d81ed7fc
    Co-Authored-By: Damien Ciabrini <email address hidden>
    (cherry picked from commit 3114300c9cd922998d426e4d33269a9fc96630c0)
    (cherry picked from commit e770e364fb0840d1f192530af8ec453f118327eb)

tags: added: in-stable-queens
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.2.0

This issue was fixed in the openstack/tripleo-heat-templates 9.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.3.0

This issue was fixed in the openstack/tripleo-heat-templates 10.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.3.0

This issue was fixed in the openstack/tripleo-heat-templates 8.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.