tripleo

Not all firewall rules are applied, leading to timeouts

Bug #1856864 reported by Emilien Macchi on 2019-12-18

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Emilien Macchi	tripleo ussuri-2 "tripleo ussuri-2"

Bug Description

It was initially found in the tripleo-ci-centos-7-containers-undercloud-minion CI job which timeouts because MySQL can't be reached.
The reason is the firewall rule for MySQL isn't created anymore on the Undercloud; which seems to happen to all the firewall rules not defined in the main template.

Example: the mysql rules are defined in deployment/database/mysql-base.yaml which later is imported by deployment/database/mysql-container-puppet.yaml. It seems like the current YAQL query can't find the firewall_rules for that service, therefore the rule is missing and some jobs timeout.

Tags:

Emilien Macchi (emilienm) on 2019-12-18

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → Critical
assignee:	nobody → Emilien Macchi (emilienm)
milestone:	none → ussuri-2

chandan kumar (chkumar246) on 2019-12-18

tags:

added: alert

Revision history for this message

Emilien Macchi (emilienm) wrote on 2019-12-18:

FTR here is the minion logs, timing out on the db sync (mysql is unreachable due to missing firewall rules): https://6965fd4aef581b711f1e-c46dc4d37fef1869c0d0d51dc6a4d27f.ssl.cf5.rackcdn.com/699505/1/check/tripleo-ci-centos-7-containers-undercloud-minion/eb9c291/logs/subnode-1/var/log/containers/stdouts/heat_engine_db_sync.log.txt.gz

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-18: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/699712

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-18: Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/699866

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-18: Change abandoned on tripleo-heat-templates (stable/train)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/train
Review: https://review.opendev.org/699866

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-19: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/699712
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7c2fa7b8e916a31218347f3ca6bfd79958fdd2e9
Submitter: Zuul
Branch: master

commit 7c2fa7b8e916a31218347f3ca6bfd79958fdd2e9
Author: Emilien Macchi <email address hidden>
Date: Wed Dec 18 10:47:31 2019 -0500

mysql: move firewall_rules to mysql-container-puppet

    The firewall_rules need to be in the service template and can't be in
    the base, that is imported.
    The current YAQL is looking for firewall_rules in the role_data:
    $.data.role_data, []).where($ != null).select($.get('firewall_rules')

    So moving the firewall_rules from mysql-base to mysql-container-puppet
    will allow the data to be found by the query and the firewall rules to
    be applied.

Change-Id: I6183cdf63ea628cc86742d56b5e2cc0ec5e3aab9
Closes-Bug: #1856864

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-18: Fix included in openstack/tripleo-heat-templates 12.1.0

This issue was fixed in the openstack/tripleo-heat-templates 12.1.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.