tripleo

  1. Bug #1808530
  2. Comment #2

Comment 2 for bug 1808530

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/625258
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3114300c9cd922998d426e4d33269a9fc96630c0
Submitter: Zuul
Branch: master

commit 3114300c9cd922998d426e4d33269a9fc96630c0
Author: Michele Baldessari <email address hidden>
Date: Fri Dec 14 14:40:08 2018 +0100

    Fix horizon's iptables rules for haproxy when split off a separate role

    This should have been fixed via:
    https://review.openstack.org/#/c/460175/2

    where we did:
    service_config_settings:
      haproxy:
        tripleo.horizon.firewall_rules:
         '127 horizon':
            dport:
              - 80
              - 443

    The problem is that the above does not work. Reason for this is the way
    tripleo::firewall works. It will only apply iptables rules for that
    show up in hiera('service_names'):
        $service_names = hiera('service_names', [])
        tripleo::firewall::service_rules { $service_names: }

    And since horizon is not in the service running on the haproxy role, the
    above rule would never have been created.

    Tested this change and now I correctly get the iptables rules on the
    haproxy role for horizon:
    [root@overcloud-core-0 ~]# iptables -nvL |grep horizon
        0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */
    [root@overcloud-core-0 ~]# hiera -c /etc/puppet/hiera.yaml service_names |grep horizon
    [root@overcloud-core-0 ~]#

    Closes-Bug: #1808530

    Change-Id: Ia4a795d1a7fb926f5900c739c1932b20d81ed7fc
    Co-Authored-By: Damien Ciabrini <email address hidden>