tripleo

THT: wrong indentation (?) in placement-api-container-puppet.yaml leads to wrong hieradata (and failed deployment)

Bug #1825976 reported by Luca Miccini
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Luca Miccini
tripleo train-1

Bug Description

I was troubleshooting a failed deployment and tracked it down to iptables rules missing for port 13778.
Looking at hieratada I found the following:

{
    "138 placement": {
        "dport": [
            8778,
            13778
        ]
    },

that is different from the other services.

Could it be that tripleo::placement::firewall_rules in placement-api-container-puppet.yaml misses indentation (lines 104:107)?

~~~
     94 outputs:
     95 role_data:
     96 description: Role data for the Placement API role.
     97 value:
     98 service_name: placement
     99 config_settings:
    100 map_merge:
    101 - get_attr: [PlacementLogging, config_settings]
    102 - apache::default_vhost: false
    103 - tripleo::placement::firewall_rules:
    104 '138 placement':
    105 dport:
    106 - 8778
    107 - 13778
~~~

Looking at nova-api it would seem so:

~~~
    182 tripleo::nova_api::firewall_rules:
    183 '113 nova_api':
    184 dport:
    185 - 8774
    186 - 13774
~~~

See original description
Revision history for this message
Luca Miccini (lmiccini2) wrote :
Download full text (3.6 KiB)

# Generated by iptables-save v1.4.21 on Tue Apr 23 03:42:47 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "000 accept related established rules ipv4" -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m comment --comment "001 accept all icmp ipv4" -j ACCEPT
-A INPUT -i lo -m state --state NEW -m comment --comment "002 accept all to lo interface ipv4" -j ACCEPT
-A INPUT -s 192.168.24.0/24 -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "003 accept ssh from controlplane ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 873,3123,3306,4444,4567,4568,9200 -m state --state NEW -m comment --comment "104 mysql galera-bundle ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3124,6379,26379 -m state --state NEW -m comment --comment "108 redis-bundle ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3122,4369,5672,25672 -m state --state NEW -m comment --comment "109 rabbitmq-bundle ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,13000,35357 -m state --state NEW -m comment --comment "111 keystone ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292,13292 -m state --state NEW -m comment --comment "112 glance_api ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8774,13774 -m state --state NEW -m comment --comment "113 nova_api ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696,13696 -m state --state NEW -m comment --comment "114 neutron api ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m state --state NEW -m comment --comment "118 neutron vxlan networks ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8776,13776 -m state --state NEW -m comment --comment "119 cinder ipv4" -j ACCEPT
-A INPUT -p udp -m multiport --dports 6081 -m state --state NEW -m comment --comment "119 neutron geneve networks ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 3260 -m state --state NEW -m comment --comment "120 iscsi initiator ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6641,6642 -m state --state NEW -m comment --comment "121 OVN DB server ports ipv4" -j ACCEPT
-A INPUT -s 172.17.0.0/24 -p tcp -m multiport --dports 11211 -m state --state NEW -m comment --comment "121 memcached 172.17.0.0/24 ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080,13808 -m state --state NEW -m comment --comment "122 swift proxy ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 873,6000,6001,6002 -m state --state NEW -m comment --comment "123 swift storage ipv4" -j ACCEPT
-A INPUT -s 192.168.24.0/24 -p udp -m multiport --dports 161 -m state --state NEW -m comment --comment "124 snmp 192.168.24.0/24 ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8004,13004 -m state --state NEW -m comment --comment "125 heat_api ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8000,13800 -m state --state NEW -m comment --comment "125 heat_cfn ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment "126 horizon ipv4" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment "127 horizon ipv4" -j ACCEPT
-A INPUT -p tcp ...

Read more...

description: updated
Revision history for this message
Luca Miccini (lmiccini2) wrote :

I failed miserably at formatting :(

here a couple of links:
https://github.com/openstack/tripleo-heat-templates/blob/7cd0e8ff7b724e7ac71dca0aafa018a56081cbbb/deployment/placement/placement-api-container-puppet.yaml#L104

https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/nova/nova-api-container-puppet.yaml#L182

Revision history for this message
Luca Miccini (lmiccini2) wrote :

adding indentation results in such hieradata:

   "tripleo::placement::firewall_rules": {
        "138 placement": {
            "dport": [
                8778,
                13778
            ]
        }
    },

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/655120

Changed in tripleo:
assignee: nobody → Luca Miccini (lmiccini2)
status: New → In Progress
yatin (yatinkarel)
Changed in tripleo:
importance: Undecided → Critical
Revision history for this message
yatin (yatinkarel) wrote :

So i was tracking down promotion job failures and reached to this bug, This bug is affecting all ovb jobs in both upstream master check[1] and master promotion jobs[2], issue started happening with https://review.opendev.org/#/c/630644/43 merged as placement iptables rules are not there[3], still a doubt as PS37 has job passing but those logs are deleted, someone from nova can confirm this. Marking the bug as critical and promotion blocker.

[1] https://review.rdoproject.org/zuul/builds?job_name=tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset035&job_name=tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001&branch=master&branch=tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset053&branch=tripleo-ci-centos-7-ovb-3ctlr_1comp_1supp-featureset039
[2] https://trunk-primary.rdoproject.org/api-centos-master-uc/api/civotes_detail.html?commit_hash=0ce75cbd14493d7ff1636937ce89ae11768672f1&distro_hash=6089bcdbc70a171dc02a608863bf57efb9dac5aa
[3] https://logs.rdoproject.org/openstack-periodic-master/opendev.org/openstack/tripleo-ci/master/periodic-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/c32fa29/logs/overcloud-controller-0/etc/sysconfig/iptables.gz

tags: added: alert ci promotion-blocker
Revision history for this message
Martin Schuppert (mschuppert) wrote :
Download full text (10.5 KiB)

I have checked failing tempest from [1]

1) just for reference, the instance gets created ok:
* Instance 521734e6-27d9-4867-bc60-ceacc55aa22b

On compute log [2] we see the instance created ok on the compute:
2019-04-23 23:25:27.525 7 INFO nova.compute.manager [-] [instance: 521734e6-27d9-4867-bc60-ceacc55aa22b] VM Started (Lifecycle Event)

- instance build took ~13s
2019-04-23 23:25:31.070 7 INFO nova.compute.manager [req-20654e60-709d-48f0-be45-4b977e50965b 45acace926eb4efaa977376e17a1b50a 59fb6d91d57e443a8b4887d94e9653f4 - default default] [instance: 521734e6-27d9-4867-bc60-ceacc55aa22b] Took 13.25 seconds to build instance.

- also we see the floating ip in the network_info:
2019-04-23 23:25:38.504 7 DEBUG nova.network.base_api [req-48530c65-4b1e-43ec-9f93-713010f4ca42 2dd4f26ca21548979a1a33f220ac8262 8377d6b2752c49698d063799ed61ee8e - default default] [instance: 521734e6-27d9-4867-bc60-ceacc55aa22b] Updating instance_info_cache with network_info: [{"profile": {}, "ovs_interfaceid": "bac228d8-c5a2-451f-85fe-d29815323d54", "preserve_on_delete": false, "network": {"bridge": "br-int", "subnets": [{"ips": [{"meta": {}, "version": 4, "type": "fixed", "floating_ips": [{"meta": {}, "version": 4, "type": "floating", "address": "10.0.0.117"}], "address": "10.100.0.12"}], "version": 4, "meta": {"dhcp_server": "10.100.0.2"}, "dns": [], "routes": [], "cidr": "10.100.0.0/28", "gateway": {"meta": {}, "version": 4, "type": "gateway", "address": "10.100.0.1"}}], "meta": {"injected": false, "tunneled": true, "tenant_id": "59fb6d91d57e443a8b4887d94e9653f4", "physical_network": null, "mtu": 1292}, "id": "4b2a43c3-5820-4532-906f-5067bbf97c82", "label": "tempest-network-smoke--1490756850"}, "devname": "tapbac228d8-c5", "vnic_type": "normal", "qbh_params": null, "meta": {}, "details": {"port_filter": true}, "address": "fa:16:3e:6d:1f:c9", "active": true, "type": "ovs", "id": "bac228d8-c5a2-451f-85fe-d29815323d54", "qbg_params": null}] update_instance_cache_with_nw_info /usr/lib/python2.7/site-packages/nova/network/base_api.py:48

- the allocation in placement is correct as well
2019-04-23 23:26:08.962 7 DEBUG nova.compute.resource_tracker [req-8928dcb0-8883-4551-bfb6-20bd2295f8cf - - - - -] Instance 521734e6-27d9-4867-bc60-ceacc55aa22b actively managed on this compute host and has allocations in placement: {u'resources': {u'VCPU': 1, u'MEMORY_MB': 64, u'DISK_GB': 1}}. _remove_deleted_instances_allocations /usr/lib/python2.7/site-packages/nova/compute/resource_tracker.py:1308

- later delete of instance
2019-04-23 23:30:56.677 7 INFO nova.compute.manager [req-813e8b5a-4e4c-48cf-a5d7-234de6fed75d 45acace926eb4efaa977376e17a1b50a 59fb6d91d57e443a8b4887d94e9653f4 - default default] [instance: 521734e6-27d9-4867-bc60-ceacc55aa22b] Terminating instance
...
2019-04-23 23:30:57.593 7 INFO nova.virt.libvirt.driver [-] [instance: 521734e6-27d9-4867-bc60-ceacc55aa22b] Instance destroyed successfully.

BUT the issue is on the metadata side:

2) we see errors in the ovn metadata agent log [3] for a request for the instance (10.100.0.12):

2019-04-23 23:27:42.513 30579 DEBUG networking_ovn.agent.metadata.server [-] Request: GET /2009-04-04/meta-data/instance-id HTTP/1.0
...

Revision history for this message
Martin Schuppert (mschuppert) wrote :

for reference, I filed https://bugs.launchpad.net/tripleo/+bug/1826178

wes hayutin (weshayutin)
Changed in tripleo:
milestone: none → train-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/655120
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=8e60f83615cb166e04f9de1a9a4331245424c2db
Submitter: Zuul
Branch: master

commit 8e60f83615cb166e04f9de1a9a4331245424c2db
Author: Luca Miccini <email address hidden>
Date: Tue Apr 23 14:18:35 2019 +0200

    Properly indent placement::firewall_rules

    placement::firewall_rules is missing proper indentation.

    This leads to hieradata like:

    {
        "138 placement": {
            "dport": [
                8778,
                13778
            ]
        },

    that is not picked up by puppet (hence no firewall rules are created).

    This commit adds one level of indentation, resulting in proper hieradata:

    "tripleo::placement::firewall_rules": {
           "138 placement": {
               "dport": [
                   8778,
                   13778
               ]
           }
       },

    Change-Id: I168863d6187ddf485546dbbc7e65bd45ef56ea38
    Closes-bug: #1825976

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.0.0

This issue was fixed in the openstack/tripleo-heat-templates 11.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.