Containerized haproxy does not open firewall when using composable roles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Damien Ciabrini |
Bug Description
So in https:/
{{role.
type: OS::Heat::Value
properties:
type: string
value:
yaql:
# select 'step_config' only from services that do not have a docker_config
data:
The problem is that in our current haproxy HA docker service we need both docker_config *and* step_config to do stuff. Namely in step_config we'd like to create the extra haproxy iptables rules that are needed when you split off galera/rabbit/etc off the haproxy nodes (controllers) whereas in docker_config we create the pacemaker bundle which manages the haproxy container.
In the current situation when we deploy an overcloud with galera and rabbitmq off to separate nodes, we can observe that the iptables rules on the haproxy node are not created:
https:/
summary: |
- In docker step_config is only run when docker_config is empty + Containerized haproxy does not open firewall when using composable roles |
We discussed this with shardy and there was always the assumption that docker_config and step_config was an either/or kind of thing. While we could change this back it would have a larger impact.
The other options we discussed are: :HAProxyFirewal lRules "service" that is still applied on the host for the docker case
- Use host_prep_task
- Move the logic to tripleo::firewall
- Add a OS::Tripleo:
Another option might be to just make it so that we can create the iptables rules on the host using a short-lived docker container.