tripleo

Manila port is not open in firewall when deploying the Manila API service on a different role than controller

Bug #1640568 reported by Tom Barron
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Tom Barron
tripleo ocata-1 "ocata-1"

Bug Description

Description of problem:
Manila port is not open in firewall when deploying the service on a different role than controller:

Deploy command and environment files:
http://paste.openstack.org/show/588586/

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.0.0-1.4.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. Deploy overcloud with Manila on a different role than controller
2. Check iptables rules on role running Manila API

Actual results:
iptables -nL | grep 8786
There is no accept rule so access to Manila API from haproxy is blocked.

Expected results:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8786 /* 100 manila_haproxy */ state NEW

Additional info:
Workaround:
iptables -I INPUT -p tcp -m multiport --dports 8786 -m comment --comment "100 manila_haproxy" -m state --state NEW -j ACCEPT

Tom Barron (tpb)
Changed in tripleo:
assignee: nobody → Tom Barron (tpb)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/395769

Changed in tripleo:
status: New → In Progress
James Slagle (james-slagle)
Changed in tripleo:
importance: Undecided → High
milestone: none → ocata-2
tags: added: composable-roles newton-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/395769
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=96a458d52dc691fa3bb25154d5da61edebd7f849
Submitter: Jenkins
Branch: master

commit 96a458d52dc691fa3bb25154d5da61edebd7f849
Author: Tom Barron <email address hidden>
Date: Wed Nov 9 14:01:23 2016 -0500

    Add firewall rules for manila api service

    When the manila api service is deployed
    on a different role than the controller the
    iptables rules on that role fail to ACCEPT
    tcp at the manila API ports.

    Add tripleo.manila_api.firewall_rules to
    the relevant puppet services module.

    Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206
    Closes-Bug: #1640568

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/396183

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/396183
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4f4858dfb94ac586f894e306e82ab381b6070bad
Submitter: Jenkins
Branch: stable/newton

commit 4f4858dfb94ac586f894e306e82ab381b6070bad
Author: Tom Barron <email address hidden>
Date: Wed Nov 9 14:01:23 2016 -0500

    Add firewall rules for manila api service

    When the manila api service is deployed
    on a different role than the controller the
    iptables rules on that role fail to ACCEPT
    tcp at the manila API ports.

    Add tripleo.manila_api.firewall_rules to
    the relevant puppet services module.

    Change-Id: I1c5459f5ba989657fd99fd72c7ac9f8781cc7206
    Closes-Bug: #1640568
    (cherry picked from commit 96a458d52dc691fa3bb25154d5da61edebd7f849)

tags: added: in-stable-newton
Steven Hardy (shardy)
Changed in tripleo:
milestone: ocata-2 → ocata-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.2.0

This issue was fixed in the openstack/tripleo-heat-templates 5.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.