OpenStack-Ansible

Hosts role should disable or remove firewalld

Bug #1657518 reported by Major Hayden
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
High
Major Hayden

Bug Description

The firewalld service is running on CentOS systems by default. We should mask the service or remove it entirely as it causes issues with container communication.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-openstack_hosts (master)

Fix proposed to branch: master
Review: https://review.openstack.org/422657

Changed in openstack-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on openstack-ansible-openstack_hosts (master)

Change abandoned by Major Hayden (<email address hidden>) on branch: master
Review: https://review.openstack.org/422657

Revision history for this message
Nick Wilburn (nowilburn) wrote :

This causes a pretty major issue when running the playbook on CentOS7. Keepalived refuses to work and gives some pretty cryptic error messages.

The playbook should either disable firewalld, implement the correct rules, or document that firewalld needs to be turned off.

Revision history for this message
Luke Short (ekultails) wrote :

I would think it would be best to at least add firewalld not being supported to the documentation. Since it's a front-end to iptables anyways, it would be duplicate effort to support both iptables and firewalld. Operators relying on firewalld may be caught off-guard if OpenStack-Ansible removes their firewall management tool of choice.

If we're also going to disable it, maybe we should prompt the end-user (via Ansible) to see if they're okay with turning off and disabling firewalld (if it's on and/or enabled). We would also need to make sure that the iptables-services package is installed.

http://docs.ansible.com/ansible/playbooks_prompts.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/476906

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/476906
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=46ccb9184100cac21b02b64a6c133a12baef71d1
Submitter: Jenkins
Branch: master

commit 46ccb9184100cac21b02b64a6c133a12baef71d1
Author: Major Hayden <email address hidden>
Date: Fri Jun 23 08:18:05 2017 -0500

    [Docs] Recommendations for firewalld

    This docs patch recommends that deployers disable firewalld on their
    deployments until rulesets can be developed.

    Related-bug: 1657518
    Change-Id: I3b8030fde4edc35145ad42ba59a6721631fddcd7

Major Hayden (rackerhacker)
Changed in openstack-ansible:
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.