tripleo

Persistent IPtables rules should not include Neutron-managed rules

Bug #1747960 reported by Emilien Macchi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Emilien Macchi
tripleo rocky-1

Bug Description

Originally reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1541528

As an operator with our without TripleO, I can't make all IPtables rules (managed by TripleO for security reason) persistent on the system where Neutron is running because Neutron rules shouldn't be persistent since they're managed by the agent.

Instead, rules managed by TripleO should be the only one to be persistent and the ones from Neutron should not.
Indeed, if we make Neutron rules persistent it can lead to issues like IPtables not able to restart during an update or upgrade.

Emilien Macchi (emilienm)
Changed in tripleo:
milestone: none → queens-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/541849

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/542544

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Related fix proposed to branch: master
Review: https://review.openstack.org/542910

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/542910
Reason: not needed anymore

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/545075

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/542544
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=50bd7f1aef5fe4536870542c6c3009e54c83e12f
Submitter: Zuul
Branch: master

commit 50bd7f1aef5fe4536870542c6c3009e54c83e12f
Author: Emilien Macchi <email address hidden>
Date: Thu Feb 8 18:14:15 2018 -0800

    Cleanup /etc/sysconfig/iptables on stack update

    When running a stack update, puppetlabs-firewall will execute:

      service iptables save

    Which will export all running iptables rules into
    /etc/sysconfig/iptables to make the rules consistent.

    We don't want Neutron-managed rules to be consistent, so we need to
    remove them from /etc/sysconfig/iptables so if iptables is restarted,
    it won't fail because of some missing namespaces managed by Neutron.

    See more context on https://bugzilla.redhat.com/show_bug.cgi?id=1541528

    Change-Id: Ia38d8e1800c91094f0bdd8744ee608e1757c7d66
    Related-Bug: #1747960

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/541849
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3c71c483e3e91d11fa83bfd751d2d8e54fdb4a20
Submitter: Zuul
Branch: master

commit 3c71c483e3e91d11fa83bfd751d2d8e54fdb4a20
Author: Emilien Macchi <email address hidden>
Date: Wed Feb 7 11:40:16 2018 -0800

    Remove neutron-managed firewall rules from /etc/sysconfig/iptables

    See https://bugzilla.redhat.com/show_bug.cgi?id=1541528

    We don't want IPtables rules managed by Neutron to be persistent, it can
    cause issues when rule are recreated while a namespace doesn't exist.

    This patch makes sure that in any Neutron node, no IPtables rule will be
    persistent if it contains "neutron-" in the name.

    Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
    Related-Bug: #1747960

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/546997

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/546998

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/546998
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=001bb3555dea8b2d6b14502e16a2e55b86e94bf9
Submitter: Zuul
Branch: stable/ocata

commit 001bb3555dea8b2d6b14502e16a2e55b86e94bf9
Author: Emilien Macchi <email address hidden>
Date: Wed Feb 7 11:40:16 2018 -0800

    Remove neutron-managed firewall rules from /etc/sysconfig/iptables

    See https://bugzilla.redhat.com/show_bug.cgi?id=1541528

    We don't want IPtables rules managed by Neutron to be persistent, it can
    cause issues when rule are recreated while a namespace doesn't exist.

    This patch makes sure that in any Neutron node, no IPtables rule will be
    persistent if it contains "neutron-" in the name.

    Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
    Related-Bug: #1747960
    (cherry picked from commit 3c71c483e3e91d11fa83bfd751d2d8e54fdb4a20)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/546997
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=d20bcb73682aa8362a6db633be2dd0cba8ce1276
Submitter: Zuul
Branch: stable/pike

commit d20bcb73682aa8362a6db633be2dd0cba8ce1276
Author: Emilien Macchi <email address hidden>
Date: Wed Feb 7 11:40:16 2018 -0800

    Remove neutron-managed firewall rules from /etc/sysconfig/iptables

    See https://bugzilla.redhat.com/show_bug.cgi?id=1541528

    We don't want IPtables rules managed by Neutron to be persistent, it can
    cause issues when rule are recreated while a namespace doesn't exist.

    This patch makes sure that in any Neutron node, no IPtables rule will be
    persistent if it contains "neutron-" in the name.

    Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
    Related-Bug: #1747960
    (cherry picked from commit 3c71c483e3e91d11fa83bfd751d2d8e54fdb4a20)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/545075
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=5086c67bdf613ed57527446288722a9a2f736168
Submitter: Zuul
Branch: stable/newton

commit 5086c67bdf613ed57527446288722a9a2f736168
Author: Emilien Macchi <email address hidden>
Date: Wed Feb 7 11:40:16 2018 -0800

    Remove neutron-managed firewall rules from /etc/sysconfig/iptables

    See https://bugzilla.redhat.com/show_bug.cgi?id=1541528

    We don't want IPtables rules managed by Neutron to be persistent, it can
    cause issues when rule are recreated while a namespace doesn't exist.
    This patch makes sure that in any Neutron node, no IPtables rule will be
    persistent if it contains "neutron-" in the name.

    Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
    Related-Bug: #1747960
    (cherry picked from commit 3c71c483e3e91d11fa83bfd751d2d8e54fdb4a20)

tags: added: in-stable-newton
Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: queens-rc1 → rocky-1
Emilien Macchi (emilienm)
Changed in tripleo:
status: Triaged → Fix Released
Revision history for this message
Alex Schultz (alex-schultz) wrote :

For tracking, the fix for this opened up https://bugs.launchpad.net/tripleo/+bug/1752441

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/551747

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/551748

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/551749

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/ocata)

Related fix proposed to branch: stable/ocata
Review: https://review.openstack.org/551750

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/newton)

Related fix proposed to branch: stable/newton
Review: https://review.openstack.org/551751

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/551751
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=26dfe7aabaf6ec9d03a118b54338eb1ee924f8fa
Submitter: Zuul
Branch: stable/newton

commit 26dfe7aabaf6ec9d03a118b54338eb1ee924f8fa
Author: Emilien Macchi <email address hidden>
Date: Sun Mar 11 08:30:19 2018 +0100

    firewall: don't reload IPtables after cleanup

    This patch stops the IPtables reload when doing Neutron rules cleanup.

    Full context:
    puppetlabs-firewall only manages the current state of iptables
    rules and writes out the rules to a file to ensure they are
    persisted. We are specifically running the following commands after the
    iptables rules to ensure the persisted file does not contain any
    ephemeral neutron rules. Neutron assumes the iptables rules are not
    persisted so it may cause an issue if the rule is loaded on boot
    (or via iptables restart). If an operator needs to reload iptables
    for any reason, they may need to manually reload the appropriate
    neutron agent to restore these iptables rules.

    rhbz#1541528
    Related-Bug: #1747960
    Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf
    (cherry picked from commit 5fc0b5600d7bd1c2e032c8bfd1d9a550e8165845)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/ocata)

Reviewed: https://review.openstack.org/551750
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=3d3201f33640053fd9985e2eef637a6f2773ad5d
Submitter: Zuul
Branch: stable/ocata

commit 3d3201f33640053fd9985e2eef637a6f2773ad5d
Author: Emilien Macchi <email address hidden>
Date: Sun Mar 11 08:30:19 2018 +0100

    firewall: don't reload IPtables after cleanup

    This patch stops the IPtables reload when doing Neutron rules cleanup.

    Full context:
    puppetlabs-firewall only manages the current state of iptables
    rules and writes out the rules to a file to ensure they are
    persisted. We are specifically running the following commands after the
    iptables rules to ensure the persisted file does not contain any
    ephemeral neutron rules. Neutron assumes the iptables rules are not
    persisted so it may cause an issue if the rule is loaded on boot
    (or via iptables restart). If an operator needs to reload iptables
    for any reason, they may need to manually reload the appropriate
    neutron agent to restore these iptables rules.

    rhbz#1541528
    Related-Bug: #1747960
    Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf
    (cherry picked from commit 5fc0b5600d7bd1c2e032c8bfd1d9a550e8165845)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/pike)

Reviewed: https://review.openstack.org/551749
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=c95c51c9516dc8ca7b599bb7299c35276fb02eab
Submitter: Zuul
Branch: stable/pike

commit c95c51c9516dc8ca7b599bb7299c35276fb02eab
Author: Emilien Macchi <email address hidden>
Date: Sun Mar 11 08:30:19 2018 +0100

    firewall: don't reload IPtables after cleanup

    This patch stops the IPtables reload when doing Neutron rules cleanup.

    Full context:
    puppetlabs-firewall only manages the current state of iptables
    rules and writes out the rules to a file to ensure they are
    persisted. We are specifically running the following commands after the
    iptables rules to ensure the persisted file does not contain any
    ephemeral neutron rules. Neutron assumes the iptables rules are not
    persisted so it may cause an issue if the rule is loaded on boot
    (or via iptables restart). If an operator needs to reload iptables
    for any reason, they may need to manually reload the appropriate
    neutron agent to restore these iptables rules.

    rhbz#1541528
    Related-Bug: #1747960
    Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf
    (cherry picked from commit 5fc0b5600d7bd1c2e032c8bfd1d9a550e8165845)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/551747
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=65f3714164f3c3be4d6b4eb6a29c753b4f0fee96
Submitter: Zuul
Branch: master

commit 65f3714164f3c3be4d6b4eb6a29c753b4f0fee96
Author: Emilien Macchi <email address hidden>
Date: Sun Mar 11 08:30:19 2018 +0100

    firewall: don't reload IPtables after cleanup

    This patch stops the IPtables reload when doing Neutron rules cleanup.

    Full context:
    puppetlabs-firewall only manages the current state of iptables
    rules and writes out the rules to a file to ensure they are
    persisted. We are specifically running the following commands after the
    iptables rules to ensure the persisted file does not contain any
    ephemeral neutron rules. Neutron assumes the iptables rules are not
    persisted so it may cause an issue if the rule is loaded on boot
    (or via iptables restart). If an operator needs to reload iptables
    for any reason, they may need to manually reload the appropriate
    neutron agent to restore these iptables rules.

    rhbz#1541528
    Related-Bug: #1747960
    Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/queens)

Reviewed: https://review.openstack.org/551748
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=41432382a438ea01a25f4c2c7a4d7e9394f53b50
Submitter: Zuul
Branch: stable/queens

commit 41432382a438ea01a25f4c2c7a4d7e9394f53b50
Author: Emilien Macchi <email address hidden>
Date: Sun Mar 11 08:30:19 2018 +0100

    firewall: don't reload IPtables after cleanup

    This patch stops the IPtables reload when doing Neutron rules cleanup.

    Full context:
    puppetlabs-firewall only manages the current state of iptables
    rules and writes out the rules to a file to ensure they are
    persisted. We are specifically running the following commands after the
    iptables rules to ensure the persisted file does not contain any
    ephemeral neutron rules. Neutron assumes the iptables rules are not
    persisted so it may cause an issue if the rule is loaded on boot
    (or via iptables restart). If an operator needs to reload iptables
    for any reason, they may need to manually reload the appropriate
    neutron agent to restore these iptables rules.

    rhbz#1541528
    Related-Bug: #1747960
    Change-Id: I1ab3a52306b91baadb70d2210a378417087f1ecf
    (cherry picked from commit 5fc0b5600d7bd1c2e032c8bfd1d9a550e8165845)

tags: added: in-stable-queens
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.