iptables rules are missing the tcp rule for logging

Bug #1360298 reported by Anastasia Palkina on 2014-08-22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Matthew Mosesohn

Bug Description

"build_id": "2014-08-22_02-01-17",
"ostf_sha": "907f25f8fad39b177bf6a66fba9785afa7dd8008",
"build_number": "467",
"auth_required": true,
"api": "1.0",
"nailgun_sha": "e9dd053fce12908b5a5a404435ce2e8200450a23",
"production": "docker",
"fuelmain_sha": "5a7df58786db7962a1774b5be3611c4e7543015d",
"astute_sha": "ac520b09525af4551e730b1c1f78170fefaf3cb8",
"feature_groups": ["mirantis"],
"release": "5.1",
"fuellib_sha": "bddba1e854a6b0350e844a0baad50816d3cc8e28"

1. Create new environment (CentOS, HA)
2. Choose VLAN segmentation
3. Choose Sahara installation
4. Add 3 controllers, compute and cinder
5. Start deployment. It hangs on first controller

Logging switched from udp to tcp and iptables rules are missing the tcp rule for logging

Anastasia Palkina (apalkina) wrote :
Matthew Mosesohn (raytrac3r) wrote :

The following rule looks like it was removed during a reboot by docker service:
 -A POSTROUTING -s -p tcp -m tcp --dport 514 -m comment --comment "rsyslog-tcp-514-unmasquerade" -j ACCEPT

The problem was that the remangle rule for rsyslog was not being created on restart of container (only initial setup).

Changed in mos:
status: New → Confirmed
Changed in fuel:
status: New → Confirmed
milestone: none → 5.1
status: Confirmed → In Progress
assignee: nobody → Matthew Mosesohn (raytrac3r)
importance: Undecided → Critical
no longer affects: mos

Reviewed: https://review.openstack.org/116299
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=3ebeaefe2c7057403e14357762b82b21afa2122c
Submitter: Jenkins
Branch: master

commit 3ebeaefe2c7057403e14357762b82b21afa2122c
Author: Matthew Mosesohn <email address hidden>
Date: Fri Aug 22 18:41:00 2014 +0400

    Reload iptables after purging rules, add rsyslog to post_start_hooks

    In some cases, rsyslog would only unmasquerade UDP connections
    and not TCP connections, causing issues with deployment.

    This commit includes fixes for purging old iptables
    rules that run into race conditions, as well as a fix
    for grep to include '--' to handle strings that
    start with dash.

    Change-Id: I3913cb2ebd7fee42039e280f676b80f8f36e1841
    Closes-Bug: #1360298

Changed in fuel:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers