Enforce proper ordering when applying firewall rules
The tripleo firewall module has fundamentally three pieces:
1) firewall::pre (allows existing connections/ssh/icmp)
2) firewall::rule (allows services traffic)
3) firewall::post (drops all traffic)
One of the assumptions coded in the module is the following line:
Service<||> -> Class['tripleo::firewall::post']
Which has been added so that (see also bug LP#1643575):
"""
use ordering to make sure we start all Services in catalog before post
rules. It ensure that we don't drop all traffic before starting the
services, which could lead to services errors (e.g. trying to reach database or amqp)
"""
The problem is that there is nothing specifying that the firewall rules
created by tripleo services need to be implemented between the pre and
post classes. So the following can happen:
Jul 10 05:04:13 overcloud-controller-1 systemd: Started OpenSSH server daemon.
Jul 10 05:04:13 overcloud-controller-1 puppet-user[32418]: (/Stage[main]/Ssh::Server::Service/Service[sshd]) Triggered 'refresh' from 2 events
Jul 10 05:04:13 overcloud-controller-1 puppet-user[32418]: (/Stage[main]/Tripleo::Firewall::Pre/Tripleo::Firewall::Rule[000 accept related established rules]/Firewall[000 accept related established rules ipv4]/ensure) created
...
Jul 10 05:04:13 overcloud-controller-1 puppet-user[32418]: (/Stage[main]/Tripleo::Firewall::Post/Tripleo::Firewall::Rule[998 log all]/Firewall[998 log all ipv4]/ensure) created
...
Jul 10 05:04:14 overcloud-controller-1 puppet-user[32418]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[cinder_api]/Tripleo::Firewall::Rule[119 cinder]/Firewall[119 cinder ipv4]/ensure) created
This means that we can actually open the traffic for our services *after*
said traffic has been completely blocked. In order to fix this we
tag the pre/post rules with a different tag and add resource collectors
to actually enforce proper ordering. We now get:
...
Jul 11 08:54:43 overcloud-controller-0 puppet-user[32554]: (/Stage[main]/Tripleo::Firewall::Pre/Tripleo::Firewall::Rule[000 accept related established rules]/Firewall[000 accept related established rules ipv4]/ensure) created
...
Jul 11 08:54:43 overcloud-controller-0 puppet-user[32554]: (/Stage[main]/Tripleo::Firewall/Tripleo::Firewall::Service_rules[cinder_api]/Tripleo::Firewall::Rule[119 cinder]/Firewall[119 cinder ipv4]/ensure) created
...
Jul 11 08:54:52 overcloud-controller-0 puppet-user[32554]: (/Stage[main]/Tripleo::Firewall::Post/Tripleo::Firewall::Rule[998 log all]/Firewall[998 log all ipv4]/ensure) created
Tested this by doing 20 deploys of 1ctrl+1cmp and then scaling up the
overcloud to 3ctrl+2cmp.
The reason this change, besides being semantically correct, is needed
for scaling up the controller role is the following:
1) When we detect a scaleup situation, we call 'pcs cluster node add <newnode>'
from the bootstrap node
2) It can happen that 1) succeeds because the node still had no iptables
at all, so pcs communication succeeds. So at this point the cluster
has added a new node and all is well
3) Now we apply the pre and post rules and all traffic is blocked. And
slowly we start adding rules to let services be accessible over the
network.
4) pacemaker is unable to talk to other nodes and assumes a network split.
Eventually it will start fencing node to guarantee the state of the
remote nodes and so the deploy will fail.
With this change if the 'pcs cluster node add' call succeeds we are
guaranteed to not interrupt network traffic afterwards.
NB: cherry-pick had a slight conflict due Ic9a2626e73d132c3be7ff14a1f4cdba0c16c5b53
Change-Id: I01e681a6305e2708bf364781a2032265b146d065
Closes-Bug: #1781147
(cherry picked from commit c525c64f6a9535b0b040cca1a7813e93dfaa797c)
Reviewed: https:/ /review. openstack. org/582942 /git.openstack. org/cgit/ openstack/ puppet- tripleo/ commit/ ?id=9fdb07ec665 3c751d79e66e7f0 ab4a8ce68d120c
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit 9fdb07ec6653c75 1d79e66e7f0ab4a 8ce68d120c
Author: Michele Baldessari <email address hidden>
Date: Wed Jul 11 11:01:13 2018 +0200
Enforce proper ordering when applying firewall rules
The tripleo firewall module has fundamentally three pieces: ssh/icmp)
1) firewall::pre (allows existing connections/
2) firewall::rule (allows services traffic)
3) firewall::post (drops all traffic)
One of the assumptions coded in the module is the following line: tripleo: :firewall: :post']
Service<||> -> Class['
Which has been added so that (see also bug LP#1643575):
"""
use ordering to make sure we start all Services in catalog before post
rules. It ensure that we don't drop all traffic before starting the
services, which could lead to services errors (e.g. trying to reach database or amqp)
"""
The problem is that there is nothing specifying that the firewall rules controller- 1 systemd: Started OpenSSH server daemon. controller- 1 puppet-user[32418]: (/Stage[ main]/Ssh: :Server: :Service/ Service[ sshd]) Triggered 'refresh' from 2 events controller- 1 puppet-user[32418]: (/Stage[ main]/Tripleo: :Firewall: :Pre/Tripleo: :Firewall: :Rule[000 accept related established rules]/Firewall[000 accept related established rules ipv4]/ensure) created controller- 1 puppet-user[32418]: (/Stage[ main]/Tripleo: :Firewall: :Post/Tripleo: :Firewall: :Rule[998 log all]/Firewall[998 log all ipv4]/ensure) created controller- 1 puppet-user[32418]: (/Stage[ main]/Tripleo: :Firewall/ Tripleo: :Firewall: :Service_ rules[cinder_ api]/Tripleo: :Firewall: :Rule[119 cinder] /Firewall[ 119 cinder ipv4]/ensure) created
created by tripleo services need to be implemented between the pre and
post classes. So the following can happen:
Jul 10 05:04:13 overcloud-
Jul 10 05:04:13 overcloud-
Jul 10 05:04:13 overcloud-
...
Jul 10 05:04:13 overcloud-
...
Jul 10 05:04:14 overcloud-
This means that we can actually open the traffic for our services *after* controller- 0 puppet-user[32554]: (/Stage[ main]/Tripleo: :Firewall: :Pre/Tripleo: :Firewall: :Rule[000 accept related established rules]/Firewall[000 accept related established rules ipv4]/ensure) created controller- 0 puppet-user[32554]: (/Stage[ main]/Tripleo: :Firewall/ Tripleo: :Firewall: :Service_ rules[cinder_ api]/Tripleo: :Firewall: :Rule[119 cinder] /Firewall[ 119 cinder ipv4]/ensure) created controller- 0 puppet-user[32554]: (/Stage[ main]/Tripleo: :Firewall: :Post/Tripleo: :Firewall: :Rule[998 log all]/Firewall[998 log all ipv4]/ensure) created
said traffic has been completely blocked. In order to fix this we
tag the pre/post rules with a different tag and add resource collectors
to actually enforce proper ordering. We now get:
...
Jul 11 08:54:43 overcloud-
...
Jul 11 08:54:43 overcloud-
...
Jul 11 08:54:52 overcloud-
Tested this by doing 20 deploys of 1ctrl+1cmp and then scaling up the
overcloud to 3ctrl+2cmp.
The reason this change, besides being semantically correct, is needed
for scaling up the controller role is the following:
1) When we detect a scaleup situation, we call 'pcs cluster node add <newnode>'
from the bootstrap node
2) It can happen that 1) succeeds because the node still had no iptables
at all, so pcs communication succeeds. So at this point the cluster
has added a new node and all is well
3) Now we apply the pre and post rules and all traffic is blocked. And
slowly we start adding rules to let services be accessible over the
network.
4) pacemaker is unable to talk to other nodes and assumes a network split.
Eventually it will start fencing node to guarantee the state of the
remote nodes and so the deploy will fail.
With this change if the 'pcs cluster node add' call succeeds we are
guaranteed to not interrupt network traffic afterwards.
NB: cherry-pick had a slight conflict due Ic9a2626e73d132 c3be7ff14a1f4cd ba0c16c5b53
Change-Id: I01e681a6305e27 08bf364781a2032 265b146d065 0b040cca1a7813e 93dfaa797c)
Closes-Bug: #1781147
(cherry picked from commit c525c64f6a9535b