tripleo

nftables might interfere with tripleo-firewall

Bug #1869166 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Michele Baldessari
tripleo ussuri-3 "tripleo ussuri-3"

Bug Description

If for some reason (we've hit this via https://bugzilla.redhat.com/show_bug.cgi?id=1694723) /etc/nftables/* rules get populated and the nftables service is started and enabled, we'll effectively end up having two separate firewalls: the iptables one managed by puppet and the nftables one left in the hands of the rpm defaults.

We need to make sure that nftables is not set up, since that will effectively interfere with
the puppet-firewall/tripleo-ansible firewall modules.

OpenStack Infra (hudson-openstack)
Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
Michele Baldessari (michele) wrote :

https://review.opendev.org/715125 (master)
https://review.opendev.org/715130 (train)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/715125
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=d44df735e9675f4bb55dd56091217abc776bd4cd
Submitter: Zuul
Branch: master

commit d44df735e9675f4bb55dd56091217abc776bd4cd
Author: Michele Baldessari <email address hidden>
Date: Thu Mar 26 08:10:23 2020 +0100

    Prevent nftables to interfere with tripleo firewall

    If for some reason (we've hit this via
    https://bugzilla.redhat.com/show_bug.cgi?id=1694723) /etc/nftables/*
    rules get populated and the nftables service is started and enabled
    (which it is by puppet)
    we'll effectively end up having two separate firewalls: the iptables one
    managed by puppet and the nftables one left in the hands of the rpm
    defaults.

    We need to make sure that nftables is not set up, since that will
    effectively interfere with the puppet-firewall/tripleo-ansible firewall
    modules.

    To do so we empty /etc/sysconfig/nftables.conf (that way if this
    code runs before the nftables rpm is installed it won't be
    overwritten), then if the nftables.conf files has changed we flush
    the nft rulesets and immediately reload the iptables services

    Tested by deploying UC and OC on both rhel 8.1 and rhel8.2 and
    then redeploying the UC and confirming that the nftables flush+
    iptables service reload is not triggered on redeploy:
    TASK [Prevent Nftables to set up any rules] ****************************
    Thursday 26 March 2020 14:55:01 +0000 (0:00:00.127) 0:01:46.572 *
    ok: [undercloud-0]

    TASK [Flush Nftables rules when nftables.conf changed] *****************
    Thursday 26 March 2020 14:55:02 +0000 (0:00:00.480) 0:01:47.052 *
    skipping: [undercloud-0]

    TASK [Restart iptables to restore firewall after flushing nftables] ****
    Thursday 26 March 2020 14:55:02 +0000 (0:00:00.130) 0:01:47.183 *
    skipping: [undercloud-0] => (item=iptables.service)
    skipping: [undercloud-0] => (item=ip6tables.service)

    Closes-Bug: #1869166
    Change-Id: Ia4a2a58aada3b893fa23e04722f0a7d77e05a981

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/715130
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=c3b24599d7055c4dead110d25d7479eca7a557fe
Submitter: Zuul
Branch: stable/train

commit c3b24599d7055c4dead110d25d7479eca7a557fe
Author: Michele Baldessari <email address hidden>
Date: Thu Mar 26 09:05:50 2020 +0100

    [train/backport] Prevent nftables to interfere with tripleo firewall

    If for some reason (we've hit this via
    https://bugzilla.redhat.com/show_bug.cgi?id=1694723) /etc/nftables/*
    rules get populated and the nftables service is started and enabled
    (which it is by puppet)
    we'll effectively end up having two separate firewalls: the iptables one
    managed by puppet and the nftables one left in the hands of the rpm
    defaults.

    We need to make sure that nftables is not set up, since that will
    effectively interfere with the puppet-firewall/tripleo-ansible firewall
    modules.

    To do so we empty /etc/sysconfig/nftables.conf (that way if this
    code runs before the nftables rpm is installed it won't be
    overwritten), then if the nftables.conf files has changed we flush
    the nft rulesets and immediately reload the iptables services

    Tested by deploying UC and OC on both rhel 8.1 and rhel8.2 and
    then redeploying the UC and confirming that the nftables flush+
    iptables service reload is not triggered on redeploy:
    TASK [Prevent Nftables to set up any rules] ****************************
    Thursday 26 March 2020 14:55:01 +0000 (0:00:00.127) 0:01:46.572 *
    ok: [undercloud-0]

    TASK [Flush Nftables rules when nftables.conf changed] *****************
    Thursday 26 March 2020 14:55:02 +0000 (0:00:00.480) 0:01:47.052 *
    skipping: [undercloud-0]

    TASK [Restart iptables to restore firewall after flushing nftables] ****
    Thursday 26 March 2020 14:55:02 +0000 (0:00:00.130) 0:01:47.183 *
    skipping: [undercloud-0] => (item=iptables.service)
    skipping: [undercloud-0] => (item=ip6tables.service)

    NB: The cherry pick from master is not clean due to the tripleo-firewall
        moving from puppet to ansible in master

    Closes-Bug: #1869166
    Depends-On: https://review.opendev.org/715173
    Change-Id: Ia4a2a58aada3b893fa23e04722f0a7d77e05a981

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 12.2.0

This issue was fixed in the openstack/tripleo-heat-templates 12.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/740485

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (stable/ussuri)

Related fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/740486

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/739963
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=9db0d36614c5abdb0ccb02ff6b300bc0d277f672
Submitter: Zuul
Branch: stable/train

commit 9db0d36614c5abdb0ccb02ff6b300bc0d277f672
Author: yatinkarel <email address hidden>
Date: Fri Jul 10 11:22:18 2020 +0530

    Revert "[train/backport] Prevent nftables to interfere with tripleo firewall"

    This reverts commit c3b24599d7055c4dead110d25d7479eca7a557fe.

    Revert "Do not fail if /usr/sbin/nft is not present"

    This reverts commit eedb679db95b281b2be0199d48876b8af64ea3a0.

    The nftables rules are not enabled now after [1] so reverting
    the original changes which are not needed.

    [1] https://git.centos.org/rpms/nftables/c/3730f48

    Related-Bug: #1870095
    Related-Bug: #1869166
    Closes-Bug: #1887112
    Change-Id: Ib3309cbbd6f2ca300ec205528402a3836a6f34df

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/740485
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8e3c4f572891717e1ce9b997e5ab35bb602a544b
Submitter: Zuul
Branch: master

commit 8e3c4f572891717e1ce9b997e5ab35bb602a544b
Author: yatinkarel <email address hidden>
Date: Fri Jul 10 20:12:45 2020 +0530

    Revert "Prevent nftables to interfere with tripleo firewall"

    This reverts commit d44df735e9675f4bb55dd56091217abc776bd4cd.

    Revert "Do not fail if /usr/sbin/nft is not present"

    This reverts commit aa019cdd5d84b6678395c18ff536b804a8b10005.

    The nftables rules are not enabled now after [1] so reverting
    the original changes which are not needed.

    [1] https://git.centos.org/rpms/nftables/c/3730f48

    Related-Bug: #1870095
    Related-Bug: #1869166
    Change-Id: I3923ea24c640941961624326cf3abe1012020771

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (stable/ussuri)

Reviewed: https://review.opendev.org/740486
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=9c861fcfc427d55f96e24e5d573e0ca535d44cb1
Submitter: Zuul
Branch: stable/ussuri

commit 9c861fcfc427d55f96e24e5d573e0ca535d44cb1
Author: yatinkarel <email address hidden>
Date: Fri Jul 10 20:12:45 2020 +0530

    Revert "Prevent nftables to interfere with tripleo firewall"

    This reverts commit d44df735e9675f4bb55dd56091217abc776bd4cd.

    Revert "Do not fail if /usr/sbin/nft is not present"

    This reverts commit aa019cdd5d84b6678395c18ff536b804a8b10005.

    The nftables rules are not enabled now after [1] so reverting
    the original changes which are not needed.

    [1] https://git.centos.org/rpms/nftables/c/3730f48

    Related-Bug: #1870095
    Related-Bug: #1869166
    Change-Id: I3923ea24c640941961624326cf3abe1012020771
    (cherry picked from commit 8e3c4f572891717e1ce9b997e5ab35bb602a544b)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.4.0

This issue was fixed in the openstack/tripleo-heat-templates 11.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.