horizon haproxy firewall rules shadows haproxy stats iptables rule
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Michele Baldessari |
Bug Description
Things broke with https:/
The reason that was pushed is that in composable roles, when splitting off horizon off from where haproxy runs, we would not have the proper iptables rules on the haproxy role. This was due to the fact that we had the following code:
service_
haproxy:
'127 horizon':
- 80
- 443
The code never worked as explained in 3f8ce6fd96bc4f2
outputs:
role_data:
description: Role data for the HAproxy role.
value:
service_name: haproxy
monitorin
config_
map_merge:
- tripleo.
'107 haproxy stats':
And since hiera will return the horizon settings for tripleo.
Rules for haproxy need to happen in puppet-
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master) | #1 |
Changed in tripleo: | |
status: | Triaged → In Progress |
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master) | #2 |
Fix proposed to branch: master
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master) | #3 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 6c2e164adaa0bf0
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:12:50 2019 +0200
Fix horizon firewall rules in composable roles
Atm horizon haproxy firewall rules obfuscate any other rule defined via
the tripleo.
Things broke with https:/
that was pushed is that in composable roles, when splitting off horizon
away from where haproxy runs, we would not have the proper iptables rules
on the haproxy role. This was due to the fact that we had
the following code:
The above code never worked as explained in
3f8ce6fd96b
the proper tripleo.
for haproxy should just never have been set at all via
service_
this bug, the merging of hiera dictionaries will mess us up and we'll
end up overwriting other keys. Haproxy stats access has this:
outputs:
role_data:
value:
- tripleo.
And since hiera will return the horizon settings for
tripleo.
firewall rules from haproxy stats and so rule '107 haproxy stats' will
never be present.
Rules for haproxy need to happen in puppet-
Normally they do, the exception is horizon which uses a specialized
horizon_
Let's create the firewall rules in haproxy/
do for all other endpoints.
Tested and correctly got:
[root@
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */
Change-Id: I1325171ef60d7a
Related-Bug: #1829338
Changed in tripleo: | |
status: | In Progress → Fix Released |
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master) | #4 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 114e5778f95d51e
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:16:51 2019 +0200
Remove the iptables rules set via service_
This breaks the rules for the haproxy stats access because it
shadows them. Let's remove these rules and move the iptables
rules for haproxy in puppet-tripleo where they should have
been in the first place, like for all other services.
Depends-On: I1325171ef60d7a
Change-Id: I2f177c930567b3
Closes-Bug: #1829338
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/stein) | #5 |
Related fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/stein) | #6 |
Fix proposed to branch: stable/stein
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/stein) | #7 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit f58d8af343c24a7
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:12:50 2019 +0200
Fix horizon firewall rules in composable roles
Atm horizon haproxy firewall rules obfuscate any other rule defined via
the tripleo.
Things broke with https:/
that was pushed is that in composable roles, when splitting off horizon
away from where haproxy runs, we would not have the proper iptables rules
on the haproxy role. This was due to the fact that we had
the following code:
The above code never worked as explained in
3f8ce6fd96b
the proper tripleo.
for haproxy should just never have been set at all via
service_
this bug, the merging of hiera dictionaries will mess us up and we'll
end up overwriting other keys. Haproxy stats access has this:
outputs:
role_data:
value:
- tripleo.
And since hiera will return the horizon settings for
tripleo.
firewall rules from haproxy stats and so rule '107 haproxy stats' will
never be present.
Rules for haproxy need to happen in puppet-
Normally they do, the exception is horizon which uses a specialized
horizon_
Let's create the firewall rules in haproxy/
do for all other endpoints.
Tested and correctly got:
[root@
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */
Change-Id: I1325171ef60d7a
Related-Bug: #1829338
(cherry picked from commit 6c2e164adaa0bf0
tags: | added: in-stable-stein |
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/stein) | #8 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 6b4f03f9ea0e958
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:16:51 2019 +0200
Remove the iptables rules set via service_
This breaks the rules for the haproxy stats access because it
shadows them. Let's remove these rules and move the iptables
rules for haproxy in puppet-tripleo where they should have
been in the first place, like for all other services.
Depends-On: I1325171ef60d7a
Change-Id: I2f177c930567b3
Closes-Bug: #1829338
(cherry picked from commit 114e5778f95d51e
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/rocky) | #9 |
Related fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/rocky) | #10 |
Fix proposed to branch: stable/rocky
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/rocky) | #11 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit b34f02c7fe3acf3
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:12:50 2019 +0200
Fix horizon firewall rules in composable roles
Atm horizon haproxy firewall rules obfuscate any other rule defined via
the tripleo.
Things broke with https:/
that was pushed is that in composable roles, when splitting off horizon
away from where haproxy runs, we would not have the proper iptables rules
on the haproxy role. This was due to the fact that we had
the following code:
The above code never worked as explained in
3f8ce6fd96b
the proper tripleo.
for haproxy should just never have been set at all via
service_
this bug, the merging of hiera dictionaries will mess us up and we'll
end up overwriting other keys. Haproxy stats access has this:
outputs:
role_data:
value:
- tripleo.
And since hiera will return the horizon settings for
tripleo.
firewall rules from haproxy stats and so rule '107 haproxy stats' will
never be present.
Rules for haproxy need to happen in puppet-
Normally they do, the exception is horizon which uses a specialized
horizon_
Let's create the firewall rules in haproxy/
do for all other endpoints.
Tested and correctly got:
[root@
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */
Change-Id: I1325171ef60d7a
Related-Bug: #1829338
(cherry picked from commit 6c2e164adaa0bf0
(cherry picked from commi...
tags: | added: in-stable-rocky |
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/rocky) | #12 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit ff10e2f6b9968d5
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:16:51 2019 +0200
Remove the iptables rules set via service_
This breaks the rules for the haproxy stats access because it
shadows them. Let's remove these rules and move the iptables
rules for haproxy in puppet-tripleo where they should have
been in the first place, like for all other services.
NB: Cherry pick is clean but had to be moved to
puppet/
Depends-On: I1325171ef60d7a
Change-Id: I2f177c930567b3
Closes-Bug: #1829338
(cherry picked from commit 114e5778f95d51e
(cherry picked from commit 6b4f03f9ea0e958
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens) | #13 |
Related fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/queens) | #14 |
Fix proposed to branch: stable/queens
Review: https:/
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens) | #15 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit ec4b1b6fc4c9509
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:12:50 2019 +0200
Fix horizon firewall rules in composable roles
Atm horizon haproxy firewall rules obfuscate any other rule defined via
the tripleo.
Things broke with https:/
that was pushed is that in composable roles, when splitting off horizon
away from where haproxy runs, we would not have the proper iptables rules
on the haproxy role. This was due to the fact that we had
the following code:
The above code never worked as explained in
3f8ce6fd96b
the proper tripleo.
for haproxy should just never have been set at all via
service_
this bug, the merging of hiera dictionaries will mess us up and we'll
end up overwriting other keys. Haproxy stats access has this:
outputs:
role_data:
value:
- tripleo.
And since hiera will return the horizon settings for
tripleo.
firewall rules from haproxy stats and so rule '107 haproxy stats' will
never be present.
Rules for haproxy need to happen in puppet-
Normally they do, the exception is horizon which uses a specialized
horizon_
Let's create the firewall rules in haproxy/
do for all other endpoints.
Tested and correctly got:
[root@
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80 state NEW /* 100 horizon_haproxy ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 443 state NEW /* 100 horizon_haproxy_ssl ipv4 */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 126 horizon ipv4 */
Change-Id: I1325171ef60d7a
Related-Bug: #1829338
(cherry picked from commit 6c2e164adaa0bf0
(cherry picked from comm...
tags: | added: in-stable-queens |
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/queens) | #16 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 525def10109b04d
Author: Michele Baldessari <email address hidden>
Date: Thu May 16 09:16:51 2019 +0200
Remove the iptables rules set via service_
This breaks the rules for the haproxy stats access because it
shadows them. Let's remove these rules and move the iptables
rules for haproxy in puppet-tripleo where they should have
been in the first place, like for all other services.
NB: Cherry pick is clean but had to be moved to
puppet/
Depends-On: I1325171ef60d7a
Change-Id: I2f177c930567b3
Closes-Bug: #1829338
(cherry picked from commit 114e5778f95d51e
(cherry picked from commit 6b4f03f9ea0e958
(cherry picked from commit ff10e2f6b9968d5
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.0.0 | #17 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 9.4.0 | #18 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.4.0 | #19 |
This issue was fixed in the openstack/
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 10.6.0 | #20 |
This issue was fixed in the openstack/
Related fix proposed to branch: master /review. opendev. org/659466
Review: https:/