Undercloud: pike -> queens upgrade break introspection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Harald Jensås |
Bug Description
In https:/
The old iptables driver created a firewall chain, and will in most cases configure a REJECT rule[1] to block any introspection unless the operator start introspection of nodes.
On the upgraded undercloud we have these left-over rules still there:
357 183K ironic-inspector udp -- br-ctlplane any anywhere anywhere udp dpt:bootps
Chain ironic-inspector (1 references) pkts bytes target prot opt in out source destination
357 183K REJECT all -- any any anywhere anywhere reject-with icmp-port-
description: | updated |
Changed in tripleo: | |
importance: | Undecided → High |
Changed in tripleo: | |
status: | New → Triaged |
Changed in tripleo: | |
status: | Triaged → Incomplete |
assignee: | nobody → Harald Jensås (harald-jensas) |
Changed in tripleo: | |
milestone: | rocky-1 → rocky-2 |
Clean up:
iptables -D INPUT -i br-ctlplane -p udp --dport 67 -j ironic-inspector
iptables -F ironic-inspector
iptables -X ironic-inspector
We may also need to add a generic accept rule for DHCP request on the introspection interface.
iptables -I INPUT -i br-ctlplane -p udp --dport 67 -j ACCEPT