tripleo

puppet-firewall changed the ipv6-icmp rule type name

Bug #1720918 reported by Ben Nemec on 2017-10-03

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Juan Antonio Osorio Robles	tripleo queens-3

Bug Description

https://github.com/puppetlabs/puppetlabs-firewall/commit/41fb8205b68aec8a3683e1b4f53ec9de2246d504 changed the name of the ipv6-icmp rule type to icmpv6. This has broken us because puppet-tripleo uses the old name. This is a breaking change, but according to the man page of ip6tables icmpv6 is correct so I guess we should update our rules to use that instead.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-03: Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/509041

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

Ben Nemec (bnemec) wrote on 2017-10-03:

I should note that this is critical because it's blocking installation of the undercloud. It would probably break the overcloud on update too.

Revision history for this message

Ben Nemec (bnemec) wrote on 2017-10-03:

In case the gerrit bot is also broken right now: https://review.openstack.org/509041

Revision history for this message

Michele Baldessari (michele) wrote on 2017-10-03:

Marked 1720938 as a duplicate. Here is how the undercloud fails:

http://logs.openstack.org/60/508660/11/check/legacy-tripleo-ci-centos-7-scenario002-multinode-oooq-puppet/70633da/logs/undercloud/home/zuul/undercloud_install.log.txt.gz#_2017-10-03_04_10_41

[1;31mError: Parameter proto failed on Firewall[001 accept all icmp ipv6]: Invalid value "ipv6-icmp". Valid values are ip, ! ip, tcp, ! tcp, udp, ! udp, icmp, ! icmp, icmpv6, ! icmpv6, esp, ! esp, ah, ! ah, vrrp, ! vrrp, igmp, ! igmp, ipencap, ! ipencap, ipv4, ! ipv4, ipv6, ! ipv6, ospf, ! ospf, gre, ! gre, cbt, ! cbt, sctp, ! sctp, pim, ! pim, all, ! all. at /etc/puppet/modules/tripleo/manifests/firewall/rule.pp:155

tags:

added: alert ci

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-03: Change abandoned on puppet-tripleo (master)

Change abandoned by Ben Nemec (<email address hidden>) on branch: master
Review: https://review.openstack.org/509041
Reason: In favor of https://review.openstack.org/#/c/509086 which updates the unit test too.

Revision history for this message

Ben Nemec (bnemec) wrote on 2017-10-03:

Fix is now being worked in https://review.openstack.org/#/c/509086/

Revision history for this message

Alfredo Moralejo (amoralej) wrote on 2017-10-03:

As per conversation in #tripleo puppet-firewall has been pinned to last good commit https://github.com/puppetlabs/puppetlabs-firewall/commit/2ddfc4a4357e8e39191dc968bb8d9aa3ab1c750e in RDO https://review.rdoproject.org/r/#/c/9916

Note that, in order to merge https://review.openstack.org/#/c/509086/ we'll need to unpin it again. When gates are working and everything is ready to merge it, you can propose revert of https://review.rdoproject.org/r/#/c/9916

Revision history for this message

Ben Nemec (bnemec) wrote on 2017-10-03:

Dropping alert since we pinned, but leaving open as critical since we do still need to address this ASAP.

tags:

removed: alert

OpenStack Infra (hudson-openstack) on 2017-10-10

Changed in tripleo:
assignee:	Ben Nemec (bnemec) → Juan Antonio Osorio Robles (juan-osorio-robles)

Emilien Macchi (emilienm) on 2017-10-23

Changed in tripleo:
milestone:	queens-1 → queens-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-01:

Change abandoned by Ben Nemec (<email address hidden>) on branch: master
Review: https://review.openstack.org/509086
Reason: Cool, that's easier than trying to coordinate multiple changes at once. :-)