OpenStack Swift Storage Charm

UFW in swift-storage affects GRE traffic

Bug #1757564 reported by David Ames on 2018-03-21

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Charm Helpers	Invalid	High	David Ames
	OpenStack Swift Storage Charm	Fix Released	High	David Ames	OpenStack Swift Storage Charm 18.05

Bug Description

When using colocating swift-storage and neutron-openvswitch, GRE traffic
is marked INVALID.

Need to modprobe nf_conntrack_proto_gre to fix [0].

[0] http://northernmost.org/blog/gre-tunnels-and-ufw/index.html

David Ames (thedac) on 2018-03-21

Changed in charm-swift-storage:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → David Ames (thedac)
milestone:	none → 18.05
Changed in charm-helpers:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → David Ames (thedac)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-21: Fix proposed to charm-swift-storage (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/555089

Changed in charm-swift-storage:
status:	Triaged → In Progress

Revision history for this message

Felipe Reyes (freyes) wrote on 2018-03-22: Re: [Bug 1757564] [NEW] UFW in swift-storage affects GRE traffic

#2

On Wed, Mar 21, 2018 at 11:12:12PM -0000, David Ames wrote:
> Public bug reported:
>
> When using colocating swift-storage and neutron-openvswitch, GRE traffic
> is marked INVALID.
>
> Need to modprobe nf_conntrack_proto_gre to fix [0].

I wonder if in this situation the charm should also increase the
ip_conntrack_max[0] sysctl key.

[0] /proc/sys/net/ipv4/ip_conntrack_max

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-30: Change abandoned on charm-swift-storage (master)

#3

Change abandoned by David Ames (<email address hidden>) on branch: master
Review: https://review.openstack.org/555089
Reason: This approach did not work.

Revision history for this message

Edward Hope-Morley (hopem) wrote on 2018-05-01:

#4

Adding the following to the top of /etc/ufw/before.rules (and restarting ufw) fixed this for me:

-A ufw-before-input -p 47 -j ACCEPT

Revision history for this message

David Ames (thedac) wrote on 2018-05-01: Re: [Bug 1757564] Re: UFW in swift-storage affects GRE traffic

#5

On Tue, May 1, 2018 at 6:16 AM, Edward Hope-Morley
<email address hidden> wrote:
> Adding the following to the top of /etc/ufw/before.rules (and restarting
> ufw) fixed this for me:
>
> -A ufw-before-input -p 47 -j ACCEPT
>

This is what we are trying to implement. Getting the change into ufw
without it erroring is the challenge.

I should have something to test shortly.

http://northernmost.org/blog/gre-tunnels-and-ufw/index.html

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-01: Fix proposed to charm-swift-storage (master)

#6

Fix proposed to branch: master
Review: https://review.openstack.org/565557

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-04: Change abandoned on charm-swift-storage (master)

#7

Change abandoned by David Ames (<email address hidden>) on branch: master
Review: https://review.openstack.org/565557
Reason: Superseded by another PR.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-04: Fix merged to charm-swift-storage (master)

#8

Reviewed: https://review.openstack.org/566001
Committed: https://git.openstack.org/cgit/openstack/charm-swift-storage/commit/?id=18d0a891db6e794d3ddabf2ff45f4acf80283094
Submitter: Zuul
Branch: master

commit 18d0a891db6e794d3ddabf2ff45f4acf80283094
Author: David Ames <email address hidden>
Date: Tue May 1 10:14:54 2018 -0700

Allow GRE traffic in converged architecture

    In a converged architecture with storage and compute on the same
    host, UFW can get in the way of tunneled traffic interpreting it as
    INVALID. UFW makes solving this more difficult than it needs to be.
    See http://northernmost.org/blog/gre-tunnels-and-ufw/index.html for
    context.

This change updates /etc/ufw/before.rules to add GRE as an allowed
input.

Also, guarantee ufw is installed for LP #1763716

Please review and merge charm-helpers first:
https://github.com/juju/charm-helpers/pull/170

    Change-Id: I789854c33e3af12f7412633dbf7c921beb0ed2b5
    Closes-Bug: #1757564
    Closes-Bug: #1763716

Changed in charm-swift-storage:
status:	In Progress → Fix Committed

David Ames (thedac) on 2018-06-06

Changed in charm-helpers:
status:	Triaged → Invalid

David Ames (thedac) on 2018-06-11

Changed in charm-swift-storage:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.