tripleo

Containerized HAproxy puppet-config fails for non-HA

Bug #1697921 reported by Damien Ciabrini on 2017-06-14

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Undecided	Alex Schultz

Bug Description

The containerized HAproxy service is not working properly due to some iptables rules that are being executed in the ephemeral container during the puppet-config step.

The iptables rules should only be executed afterwards, once the config is generated and the service is being set up.

Revision history for this message

milan k (vetrisko) wrote on 2017-06-14:

I'd say this isn't an inspector bug rather an TripleO thing, no?

Changed in ironic-inspector:
status:	New → Opinion

Revision history for this message

Damien Ciabrini (dciabrin) wrote on 2017-06-14:

oops, sorry milan, wrong assignment!

affects:

ironic-inspector → tripleo

Revision history for this message

Julie Pichon (jpichon) wrote on 2017-06-14:

May be related to bug 1697645 / bug 1697684 ?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-21: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/486141

Changed in tripleo:
assignee:	nobody → Damien Ciabrini (dciabrin)
status:	Opinion → In Progress

OpenStack Infra (hudson-openstack) on 2017-07-26

Changed in tripleo:
assignee:	Damien Ciabrini (dciabrin) → Emilien Macchi (emilienm)

OpenStack Infra (hudson-openstack) on 2017-07-27

Changed in tripleo:
assignee:	Emilien Macchi (emilienm) → Alex Schultz (alex-schultz)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-31: Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/486141
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=50f160a148b6a973891ffc6d0882f4c0d597336e
Submitter: Jenkins
Branch: master

commit 50f160a148b6a973891ffc6d0882f4c0d597336e
Author: Damien Ciabrini <email address hidden>
Date: Thu Jul 20 11:48:22 2017 -0400

Prevent haproxy to run iptables during docker-puppet configuration

    When docker-puppet runs module tripleo::haproxy to generate haproxy
    configuration file, and tripleo::firewall::manage_firewall is true,
    iptables is called to set up firewall rules for the proxied services
    and fails due to lack of NET_ADMIN capability.

    Make the generation of firewall rule configurable by exposing a
    new argument to the puppet module. That way, firewall management can
    be temporarily disabled when being run through docker-puppet.

Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-31: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/474183
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=4645d9ce833197c42a563773cbf026d8853a4426
Submitter: Jenkins
Branch: master

commit 4645d9ce833197c42a563773cbf026d8853a4426
Author: Damien Ciabrini <email address hidden>
Date: Wed Jun 14 07:52:33 2017 -0400

Fix creation of iptables rules for non-HA containerized HAproxy

    The introduction of I90253412a5e2cd8e56e74cce3548064c06d022b1 broke the HAproxy
    service due to some HAproxy-specific iptables rules being executed during the
    puppet config step.

    Ensure that no iptables call is performed during the generation of configuration
    files. Move those calls to step 1, as implemented in the pacemaker-based
    HAproxy service (Ib5a083ba3299a82645f1a0f9da0d482c6b89ee23).

Depends-On: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Closes-Bug: #1697921

Change-Id: Ica3a432ff4a9e7a46df22cddba9ad96e1390b665

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-08-24: Fix included in openstack/tripleo-heat-templates 7.0.0.0rc1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.0.0rc1 release candidate.