pulling containers is failing the overcloud deployment

Bug #1803024 reported by wes hayutin on 2018-11-13
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Critical
Alex Schultz
Changed in tripleo:
milestone: none → stein-2
Alex Schultz (alex-schultz) wrote :
Download full text (9.2 KiB)

I think this might be related to the puppet 5.5.6 update. I'm seeing the iptables rules not being properly applied.

Under puppet 5.5.6 the iptables on the undercloud looks like:

# Generated by iptables-save v1.4.21 on Tue Nov 13 00:53:34 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:68]
:openstack-INPUT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT
-A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh ipv4" -j ACCEPT
-A INPUT -s 198.72.124.180/32 -j ACCEPT
-A INPUT -s 198.72.124.178/32 -j ACCEPT
-A INPUT -j openstack-INPUT
-A INPUT -m state --state NEW -m limit --limit 20/min --limit-burst 15 -m comment --comment "998 log all ipv4" -j LOG
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A openstack-INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
-A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Nov 13 00:53:34 2018

But under 4.8.2, it's:
 Generated by iptables-save v1.4.21 on Mon Nov 12 19:27:19 2018
*nat
:PREROUTING ACCEPT [2:64]
:INPUT ACCEPT [2:64]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 169.254.169.254/32 -i br-ct...

Read more...

chandan kumar (chkumar246) wrote :

We have reverted puppet-5 in RDO, https://review.rdoproject.org/r/#/c/17333/1

wes hayutin (weshayutin) on 2018-11-14
Changed in tripleo:
status: Triaged → Fix Released
Changed in tripleo:
assignee: nobody → Alex Schultz (alex-schultz)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers