where we did:
service_config_settings:
haproxy: tripleo.horizon.firewall_rules:
'127 horizon':
dport:
- 80
- 443
The problem is that the above does not work. Reason for this is the way
tripleo::firewall works. It will only apply iptables rules for that
show up in hiera('service_names'): $service_names = hiera('service_names', []) tripleo::firewall::service_rules { $service_names: }
And since horizon is not in the service running on the haproxy role, the
above rule would never have been created.
Tested this change and now I correctly get the iptables rules on the
haproxy role for horizon:
[root@overcloud-core-0 ~]# iptables -nvL |grep horizon
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */
[root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
[root@overcloud-core-0 ~]#
Reviewed: https:/ /review. openstack. org/625258 /git.openstack. org/cgit/ openstack/ tripleo- heat-templates/ commit/ ?id=3114300c9cd 922998d426e4d33 269a9fc96630c0
Committed: https:/
Submitter: Zuul
Branch: master
commit 3114300c9cd9229 98d426e4d33269a 9fc96630c0
Author: Michele Baldessari <email address hidden>
Date: Fri Dec 14 14:40:08 2018 +0100
Fix horizon's iptables rules for haproxy when split off a separate role
This should have been fixed via: /review. openstack. org/#/c/ 460175/ 2
https:/
where we did: config_ settings:
tripleo. horizon. firewall_ rules:
service_
haproxy:
'127 horizon':
dport:
- 80
- 443
The problem is that the above does not work. Reason for this is the way :firewall works. It will only apply iptables rules for that service_ names') :
$service_ names = hiera(' service_ names', [])
tripleo: :firewall: :service_ rules { $service_names: }
tripleo:
show up in hiera('
And since horizon is not in the service running on the haproxy role, the
above rule would never have been created.
Tested this change and now I correctly get the iptables rules on the overcloud- core-0 ~]# iptables -nvL |grep horizon overcloud- core-0 ~]# hiera -c /etc/puppet/ hiera.yaml service_names |grep horizon overcloud- core-0 ~]#
haproxy role for horizon:
[root@
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */
[root@
[root@
Closes-Bug: #1808530
Change-Id: Ia4a795d1a7fb92 6f5900c739c1932 b20d81ed7fc
Co-Authored-By: Damien Ciabrini <email address hidden>