tripleo

OpenDaylight Missing API Firewall rules

Bug #1651476 reported by Tim Rozet
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Tim Rozet
tripleo ocata-3 "ocata-3"

Bug Description

OpenDaylight service is missing firewall rules for its northbound API service (default port 8081). It is also missing the corresponding HA proxy rule. This is because ODL is using the old method for defining an haproxy configuration rather than endpoint. Endpoint automatically creates the firewall entry.

A nonHA deployment will not be affected by the missing rules, however an HA or custom role deployment may encounter problems.

Tim Rozet (trozet)
Changed in tripleo:
assignee: nobody → Tim Rozet (trozet)
Revision history for this message
Tim Rozet (trozet) wrote :

Note we are also missing port 6640 and 6653, for managing OVS via OVSDB and connecting via openflow protocol, respectively.

summary: - OpenDaylight Missing NorthBound Firewall rules
+ OpenDaylight Missing API Firewall rules
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/413228

Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/413233

Steven Hardy (shardy)
Changed in tripleo:
milestone: none → ocata-3
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/413228
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=0f002c65147e6148636b87395548e5406c5601bc
Submitter: Jenkins
Branch: master

commit 0f002c65147e6148636b87395548e5406c5601bc
Author: Tim Rozet <email address hidden>
Date: Tue Dec 20 15:45:00 2016 -0500

    Fixes missing haproxy firewall rules for OpenDaylight

    This migrates the haproxy config for ODL to use the
    tripleo::haproxy::endpoint class. This class automatically configures
    firewall rules for each haproxy endpoint. Also removes listening on
    public network for IP and adds listening on ctlplane network for admin
    access.

    Partial-Bug: 1651476

    Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f
    Signed-off-by: Tim Rozet <email address hidden>

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/413233
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=22ba81cf9dd8b2690c3e8c0eee5a70dcb37e10c4
Submitter: Jenkins
Branch: master

commit 22ba81cf9dd8b2690c3e8c0eee5a70dcb37e10c4
Author: Tim Rozet <email address hidden>
Date: Tue Dec 20 15:56:00 2016 -0500

    Adds missing firewall rules for OpenDaylight API service

    Custom role deployments were not working when ODL API was on a different
    node due to firewall rules blocking traffic. This patch adds the
    missing rules for the REST communication to ODL (8081 by default), OVSDB
    connection (6640), and OpenFlow protocol (6653).

    Closes-Bug: 1651476
    Depends-On: I1f2af2793d040fda17bf73252afe59434d99f31f

    Change-Id: Ic0119c783d01e864c49fa06a66fdd68c059a726b
    Signed-off-by: Tim Rozet <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/417013

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/417015

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/newton)

Reviewed: https://review.openstack.org/417013
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=6078666290a151729d59557c00a41fb1a31ba506
Submitter: Jenkins
Branch: stable/newton

commit 6078666290a151729d59557c00a41fb1a31ba506
Author: Tim Rozet <email address hidden>
Date: Tue Dec 20 15:45:00 2016 -0500

    Fixes missing haproxy firewall rules for OpenDaylight

    This migrates the haproxy config for ODL to use the
    tripleo::haproxy::endpoint class. This class automatically configures
    firewall rules for each haproxy endpoint. Also removes listening on
    public network for IP and adds listening on ctlplane network for admin
    access.

    Partial-Bug: 1651476

    Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f
    Signed-off-by: Tim Rozet <email address hidden>
    (cherry picked from commit 0f002c65147e6148636b87395548e5406c5601bc)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/newton)

Reviewed: https://review.openstack.org/417015
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=64f2e3972856aea55189687dbb61054120bfed13
Submitter: Jenkins
Branch: stable/newton

commit 64f2e3972856aea55189687dbb61054120bfed13
Author: Tim Rozet <email address hidden>
Date: Tue Dec 20 15:56:00 2016 -0500

    Adds missing firewall rules for OpenDaylight API service

    Custom role deployments were not working when ODL API was on a different
    node due to firewall rules blocking traffic. This patch adds the
    missing rules for the REST communication to ODL (8081 by default), OVSDB
    connection (6640), and OpenFlow protocol (6653).

    Closes-Bug: 1651476
    Depends-On: I1f2af2793d040fda17bf73252afe59434d99f31f

    Change-Id: Ic0119c783d01e864c49fa06a66fdd68c059a726b
    Signed-off-by: Tim Rozet <email address hidden>
    (cherry picked from commit 22ba81cf9dd8b2690c3e8c0eee5a70dcb37e10c4)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 6.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 6.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 5.3.0

This issue was fixed in the openstack/tripleo-heat-templates 5.3.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.