iptables rules are missing the tcp rule for logging

Bug #1360298 reported by Anastasia Palkina
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
Critical
Matthew Mosesohn

Bug Description

"build_id": "2014-08-22_02-01-17",
"ostf_sha": "907f25f8fad39b177bf6a66fba9785afa7dd8008",
"build_number": "467",
"auth_required": true,
"api": "1.0",
"nailgun_sha": "e9dd053fce12908b5a5a404435ce2e8200450a23",
"production": "docker",
"fuelmain_sha": "5a7df58786db7962a1774b5be3611c4e7543015d",
"astute_sha": "ac520b09525af4551e730b1c1f78170fefaf3cb8",
"feature_groups": ["mirantis"],
"release": "5.1",
"fuellib_sha": "bddba1e854a6b0350e844a0baad50816d3cc8e28"

1. Create new environment (CentOS, HA)
2. Choose VLAN segmentation
3. Choose Sahara installation
4. Add 3 controllers, compute and cinder
5. Start deployment. It hangs on first controller

Logging switched from udp to tcp and iptables rules are missing the tcp rule for logging

Revision history for this message
Anastasia Palkina (apalkina) wrote :
Revision history for this message
Matthew Mosesohn (raytrac3r) wrote :

The following rule looks like it was removed during a reboot by docker service:
 -A POSTROUTING -s 10.20.0.0/24 -p tcp -m tcp --dport 514 -m comment --comment "rsyslog-tcp-514-unmasquerade" -j ACCEPT

The problem was that the remangle rule for rsyslog was not being created on restart of container (only initial setup).

Changed in mos:
status: New → Confirmed
Changed in fuel:
status: New → Confirmed
milestone: none → 5.1
status: Confirmed → In Progress
assignee: nobody → Matthew Mosesohn (raytrac3r)
importance: Undecided → Critical
no longer affects: mos
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/116299
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=3ebeaefe2c7057403e14357762b82b21afa2122c
Submitter: Jenkins
Branch: master

commit 3ebeaefe2c7057403e14357762b82b21afa2122c
Author: Matthew Mosesohn <email address hidden>
Date: Fri Aug 22 18:41:00 2014 +0400

    Reload iptables after purging rules, add rsyslog to post_start_hooks

    In some cases, rsyslog would only unmasquerade UDP connections
    and not TCP connections, causing issues with deployment.

    This commit includes fixes for purging old iptables
    rules that run into race conditions, as well as a fix
    for grep to include '--' to handle strings that
    start with dash.

    Change-Id: I3913cb2ebd7fee42039e280f676b80f8f36e1841
    Closes-Bug: #1360298

Changed in fuel:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.