Wrong iptables rules for keystone ports
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Released
|
High
|
Aleksandr Didenko |
Bug Description
Puppet creates wrong iptables rules for keystone ports, there's only one management network in rule and it's in destination, not in source:
ACCEPT tcp -- 0.0.0.0/0 10.144.2.0/24 multiport ports 5000,35357 /* 102 keystone */
We should change:
firewall {'102 keystone':
port => [$keystone_
proto => 'tcp',
action => 'accept',
destination => get_routable_
}
to
openstack:
port => [$keystone_
proto => 'tcp',
action => 'accept',
source_nets => get_routable_
}
in firewall.pp task, it's the only rule that was improperly converted to get_routable_
Steps to reproduce:
1. Deploy multirack env
2. Check that "102 keystone" iptables rule exist for every management network
tags: | added: on-verification |
Fix proposed to branch: master /review. openstack. org/255823
Review: https:/