tripleo::firewall does not work as intended if the image has prepopulated firewall rules
Bug #1657108 reported by
Michele Baldessari
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Michele Baldessari |
Bug Description
I believe we've seen something of the sort here:
http://
So my initial thinking is the following:
- We started off with an image that has firewall enabled and lets only
ICMP and ssh through
- We call the cluster setup stuff which will fail because the pcsd port
is not open
- The tripleo firewall opens the cluster ports too late in the game
tags: | added: composable-roles |
Changed in tripleo: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in tripleo: | |
milestone: | ocata-3 → ocata-rc1 |
summary: |
- pacemaker cluster setup fails if the image has prepopulated firewall - rules with no cluster/pcsd access + tripleo::firewall does not work as intended if the image has + prepopulated firewall rules |
Changed in tripleo: | |
status: | Fix Released → In Progress |
Changed in tripleo: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
So I can confirm this theory. I have injected the following (standard?) iptables file in /etc/sysconfig: prohibited prohibited
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-
-A FORWARD -j REJECT --reject-with icmp-host-
COMMIT
On a deploy where pacemaker is included in controller0,1,2 and galera0. And where pacemaker-remote is added to remote-0 and rabbit-0 nodes I get the following situation: -controller- 0 ~]# iptables -nvL prohibited
A) controller0,1,2:
[root@overcloud
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6394 1363K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
189 11340 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
861 54822 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) prohibited
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
Chain OUTPUT (policy ACCEPT 7933 packets, 1231K bytes) -controller- 0 ~]# systemctl is-active iptables
pkts bytes target prot opt in out source destination
[root@overcloud
active
So in this situation the command that sets up the cluster and which expects to be able to talk to the pcsd ports will fail: controller- 0 overcloud- controller- 1 overcloud- controller- 2 overcloud-galera-0 -u hacluster -p a6KKVbqfDqep2zgL --force'
2017-01-18 11:39:54 +0000 Puppet (debug): Executing: '/sbin/pcs cluster auth overcloud-
Interestingly we also have -galera- 0 ~]# more /etc/sysconfig/ iptables config- firewall prohibited prohibited -galera- 0 ~]# systemctl status iptables systemd/ system/ iptables. service; disabled; vendor preset: disabled)
B) overcloud-galera-0
[root@overcloud
# sample configuration for iptables service
# you can edit this manually or use system-
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-
-A FORWARD -j REJECT --reject-with icmp-host-
COMMIT
[root@overcloud
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/
Active: inactive (dead)
C) overcloud-rabbit-0 -rabbit- 0 ~]# iptables -nvL
[root@overcloud
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot op...