Fuel for OpenStack

[system_tests] add iptables rule for tftp traffic when Multiple Networks are true

Bug #1412799 reported by Alexander Kurenyshev
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Committed
Medium
Andrew Woodward
Fuel for OpenStack 6.1

Bug Description

Found while analyze System Test failure.

Test performs deploy Fuel with multiple networks (MULTIPLE_NETWORKS=true).

There are two networks for nodes:
10.108.72.0/24 dev eth5 proto kernel scope link src 10.108.72.2
10.108.59.0/24 dev eth0 proto kernel scope link src 10.108.59.2

For nodes from 10.108.59.0/24 we have iptables rules for forwarding tftp traffic when pxe load:

[root@nailgun ~]# iptables-save -t nat| grep :69
-A DOCKER -d 10.108.59.2/32 -p udp -m udp --dport 69 -j DNAT --to-destination 172.17.0.8:69
-A DOCKER -d 127.0.0.1/32 -p udp -m udp --dport 69 -j DNAT --to-destination 172.17.0.8:69

For nodes from network 10.108.72.0/24 there should be rule:

-A DOCKER -d 10.108.72.2/32 -p udp -m udp --dport 69 -j DNAT --to-destination 172.17.0.8:69

otherwise node couldn't access tftp server and download bootstrap image.

Revision history for this message
Alexander Kurenyshev (akurenyshev) wrote :
Aleksey Kasatkin (alekseyk-ru)
Changed in fuel:
assignee: Fuel for Openstack (fuel) → Fuel QA Team (fuel-qa)
Revision history for this message
Egor Kotko (ykotko) wrote :

Please check the server on which the test was executed variable net.bridge.bridge-nf-call-iptables should be in 0.
#sysctl -a | grep bridge-nf-call-iptables If it is not in 0 - this is the reason of the failure (traffic on the bridges are firewalled).

Revision history for this message
Alexander Kurenyshev (akurenyshev) wrote :

Egor,
akurenyshev@srv07-srt:~$ sysctl -a | grep bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 0

Revision history for this message
Dennis Dmitriev (ddmitriev) wrote :

Aleksey Kasatkin , as I understand, the 'iptables' rules that provide network access into the docker containers must be managed by docker.

This issue is about the case when the 'cobbler' container is configured and should provide DHCP service for two 'admin' networks in configuration with MULTIPLE_NETWORKS: 10.108.72.0/24 and 10.108.59.0/24.

Are you sure that this case is under Fuel QA team responsibility?

Nastya Urlapova (aurlapova)
Changed in fuel:
assignee: Fuel QA Team (fuel-qa) → Fuel Python Team (fuel-python)
Revision history for this message
Aleksey Kasatkin (alekseyk-ru) wrote :

Ryan, please look.

Changed in fuel:
assignee: Fuel Python Team (fuel-python) → Ryan Moe (rmoe)
Revision history for this message
Dima Shulyak (dshulyak) wrote :

Just add -p ${BIND_ALL}69:69 in

https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/docker/templates/dockerctl_config.erb#L66

Changed in fuel:
status: New → Triaged
OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Ryan Moe (rmoe) → Andrew Woodward (xarses)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/155515
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=ca50a37151ba7a62dd2cd0b56d82f74534acad3c
Submitter: Jenkins
Branch: master

commit ca50a37151ba7a62dd2cd0b56d82f74534acad3c
Author: Andrew Woodward <email address hidden>
Date: Thu Feb 12 14:44:59 2015 -0800

    Change cobbler container to receive all DNS or PXE requests

    When we are using multiple-cluster-networks, there may be multiple
    interfaces for which we have as admin interfaces. Instead of needing to update
    the container every time an interface is added, we can instead forward
    all DNS and PXE requests to the cobbler container.

    Closes-bug: 1412799
    Change-Id: I29b6c441ab7123cd678b1fb47f75992073549179

Changed in fuel:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.