Fix iptables rules override bug in clustercheck docker service
When deploying a composable HA overcloud with a database role split off
to separate nodes we could observe a deployment failure due to galera
never starting up properly.
The reason for this was that instead of having the firewall rules for
the galera bundle applied (i.e. those with the extra control-port for
the bundle), we would see the firewall rules for the BM galera service.
E.g. we would see the following on the host:
Instead of the correct mysq bundle firewall rules:
tripleo.mysql.firewall_rules:
104 mysql galera-bundle:
dport: [ 873, 3123, 3306, 4444, 4567, 4568, 9200 ]
The reason for this is the following piece of code in https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/clustercheck.yaml#L62:
...
MysqlPuppetBase:
type: ../../../puppet/services/pacemaker/database/mysql.yaml
properties: EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters}
Depending on the ordering of the clustercheck service within the role
(before or after the mysql service), the above code will override the
tripleo.mysql.firewall_rules with the wrong rules because we derive from
puppet/services/... which contain the BM firewall rules.
Let's just switch to derive from the docker service so we do not risk
getting the wrong firewall rules during the map_merge.
Tested this change successfully on a composable HA with split-off DB
nodes.
Change-Id: Ie87b327fe7981d905f8762d3944a0e950dbd0bfa
Closes-Bug: #1728918
(cherry picked from commit 3df6a4204a85b119cd67ccf176d5b72f9e550da6)
Reviewed: https:/ /review. openstack. org/517576 /git.openstack. org/cgit/ openstack/ tripleo- heat-templates/ commit/ ?id=ba80b2bec5b cfc638c670debf1 1a98bd491ec996
Committed: https:/
Submitter: Zuul
Branch: stable/pike
commit ba80b2bec5bcfc6 38c670debf11a98 bd491ec996
Author: Michele Baldessari <email address hidden>
Date: Tue Oct 31 13:23:17 2017 +0100
Fix iptables rules override bug in clustercheck docker service
When deploying a composable HA overcloud with a database role split off
to separate nodes we could observe a deployment failure due to galera
never starting up properly.
The reason for this was that instead of having the firewall rules for
the galera bundle applied (i.e. those with the extra control-port for
the bundle), we would see the firewall rules for the BM galera service.
E.g. we would see the following on the host:
tripleo. mysql.firewall_ rules: {
104 mysql galera: {
dport: [ 873, 3306, 4444, 4567, 4568, 9200 ]
Instead of the correct mysq bundle firewall rules: mysql.firewall_ rules:
tripleo.
104 mysql galera-bundle:
dport: [ 873, 3123, 3306, 4444, 4567, 4568, 9200 ]
The reason for this is the following piece of code in /github. com/openstack/ tripleo- heat-templates/ blob/master/ docker/ services/ pacemaker/ clustercheck. yaml#L62: etBase: ./puppet/ services/ pacemaker/ database/ mysql.yaml
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMa p: {get_param: ServiceNetMap}
DefaultPassw ords: {get_param: DefaultPasswords}
RoleParamete rs: {get_param: RoleParameters}
https:/
...
MysqlPupp
type: ../../.
properties:
RoleName: {get_param: RoleName}
outputs:
description: Containerized service clustercheck using composable services.
service_ name: clustercheck
config_ settings: {get_attr: [MysqlPuppetBase, role_data, config_settings]}
role_data:
value:
logging_source: {get_attr: [MysqlPuppetBase, role_data, logging_source]}
...
Depending on the ordering of the clustercheck service within the role mysql.firewall_ rules with the wrong rules because we derive from services/ ... which contain the BM firewall rules.
(before or after the mysql service), the above code will override the
tripleo.
puppet/
Let's just switch to derive from the docker service so we do not risk
getting the wrong firewall rules during the map_merge.
Tested this change successfully on a composable HA with split-off DB
nodes.
Change-Id: Ie87b327fe7981d 905f8762d3944a0 e950dbd0bfa 9cd67ccf176d5b7 2f9e550da6)
Closes-Bug: #1728918
(cherry picked from commit 3df6a4204a85b11