Hosts role should disable or remove firewalld

Bug #1657518 reported by Major Hayden on 2017-01-18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Major Hayden

Bug Description

The firewalld service is running on CentOS systems by default. We should mask the service or remove it entirely as it causes issues with container communication.

Fix proposed to branch: master

Changed in openstack-ansible:
status: New → In Progress

Change abandoned by Major Hayden (<email address hidden>) on branch: master

Nick Wilburn (nowilburn) wrote :

This causes a pretty major issue when running the playbook on CentOS7. Keepalived refuses to work and gives some pretty cryptic error messages.

The playbook should either disable firewalld, implement the correct rules, or document that firewalld needs to be turned off.

Luke Short (ekultails) wrote :

I would think it would be best to at least add firewalld not being supported to the documentation. Since it's a front-end to iptables anyways, it would be duplicate effort to support both iptables and firewalld. Operators relying on firewalld may be caught off-guard if OpenStack-Ansible removes their firewall management tool of choice.

If we're also going to disable it, maybe we should prompt the end-user (via Ansible) to see if they're okay with turning off and disabling firewalld (if it's on and/or enabled). We would also need to make sure that the iptables-services package is installed.

Submitter: Jenkins
Branch: master

commit 46ccb9184100cac21b02b64a6c133a12baef71d1
Author: Major Hayden <email address hidden>
Date: Fri Jun 23 08:18:05 2017 -0500

    [Docs] Recommendations for firewalld

    This docs patch recommends that deployers disable firewalld on their
    deployments until rulesets can be developed.

    Related-bug: 1657518
    Change-Id: I3b8030fde4edc35145ad42ba59a6721631fddcd7

Changed in openstack-ansible:
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers