tripleo

Firewall rules removed during undercloud upgrade

Bug #1956825 reported by Brendan Shephard on 2022-01-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Unassigned

Bug Description

Description:

During a undercloud upgrade, we create an empty ruleset:
https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/roles/tripleo_bootstrap/tasks/main.yml#L111-L119

But because we are not making any changes to firewall rules. When we check existing iptables rules we find that we don't need to make any changes, so we skip the save task. This would be fine, but we don't validate if the /etc/sysconfig/iptables file is still empty.
This means that the firewall rules are not saved when we get to this point:
https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/roles/tripleo_firewall/tasks/main.yml#L56-L63

So after a reboot, any masquerade rules that are in place are not reloaded.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-08: Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/823893

Changed in tripleo:
status:	New → In Progress

Bogdan Dobrelya (bogdando) on 2022-01-13

Changed in tripleo:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-01-20: Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/823893
Committed: https://opendev.org/openstack/tripleo-ansible/commit/1b37fe386902e4a942eae780ee798c9f72f25173
Submitter: "Zuul (22348)"
Branch: master

commit 1b37fe386902e4a942eae780ee798c9f72f25173
Author: Brendan Shephard <email address hidden>
Date: Sat Jan 8 12:36:31 2022 +0000

Ensure firewall rules are saved

    If the /etc/sysconfig/ip*tables files are still empty
    when we reach the Firewall save block. Then we should
    ensure the rules are saved.

    Closes-bug: #1956825
    Resolves: rhbz#2033570
    Change-Id: Idfb2ae61c7aa9725f6e5eb495ed7ea301d4df8b3

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-13: Fix proposed to tripleo-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/833517

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-13: Fix proposed to tripleo-ansible (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/833518

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-13: Fix proposed to tripleo-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/833519

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-13: Fix proposed to tripleo-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/833520

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-14: Fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/833520
Committed: https://opendev.org/openstack/tripleo-ansible/commit/7f1e4d5e87289de7839cf2b87022bc58e6d24c3e
Submitter: "Zuul (22348)"
Branch: stable/train

commit 7f1e4d5e87289de7839cf2b87022bc58e6d24c3e
Author: Brendan Shephard <email address hidden>
Date: Sat Jan 8 12:36:31 2022 +0000

Ensure firewall rules are saved

    If the /etc/sysconfig/ip*tables files are still empty
    when we reach the Firewall save block. Then we should
    ensure the rules are saved.

    Closes-bug: #1956825
    Resolves: rhbz#2063232
    Change-Id: Idfb2ae61c7aa9725f6e5eb495ed7ea301d4df8b3
    (cherry picked from commit 1b37fe386902e4a942eae780ee798c9f72f25173)

tags:	added: in-stable-train
tags:	added: in-stable-ussuri

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-14: Fix merged to tripleo-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/833519
Committed: https://opendev.org/openstack/tripleo-ansible/commit/4532dd8c78671e02bf9864c1ba07ebd367af4a40
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 4532dd8c78671e02bf9864c1ba07ebd367af4a40
Author: Brendan Shephard <email address hidden>
Date: Sat Jan 8 12:36:31 2022 +0000

Ensure firewall rules are saved

    If the /etc/sysconfig/ip*tables files are still empty
    when we reach the Firewall save block. Then we should
    ensure the rules are saved.

    Closes-bug: #1956825
    Resolves: rhbz#2033570
    Change-Id: Idfb2ae61c7aa9725f6e5eb495ed7ea301d4df8b3
    (cherry picked from commit 1b37fe386902e4a942eae780ee798c9f72f25173)

tags:

added: in-stable-victoria

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-14: Fix merged to tripleo-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/833518
Committed: https://opendev.org/openstack/tripleo-ansible/commit/3aec3706afd220b8379f0a2f769274964efa144a
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 3aec3706afd220b8379f0a2f769274964efa144a
Author: Brendan Shephard <email address hidden>
Date: Sat Jan 8 12:36:31 2022 +0000

Ensure firewall rules are saved

    If the /etc/sysconfig/ip*tables files are still empty
    when we reach the Firewall save block. Then we should
    ensure the rules are saved.

    Closes-bug: #1956825
    Resolves: rhbz#2033570
    Change-Id: Idfb2ae61c7aa9725f6e5eb495ed7ea301d4df8b3
    (cherry picked from commit 1b37fe386902e4a942eae780ee798c9f72f25173)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-12: Fix included in openstack/tripleo-ansible 4.2.0

#10

This issue was fixed in the openstack/tripleo-ansible 4.2.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-13: Change abandoned on tripleo-ansible (stable/wallaby)

#11

Change abandoned by "Brendan Shephard <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/833517
Reason: We don't need this because we have this fix instead that is already merged: https://github.com/openstack/tripleo-ansible/commit/93b14c9f3f4b15258207dfb17feccf20e2fcb21c

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-13: Fix included in openstack/tripleo-ansible ussuri-eol

#12

This issue was fixed in the openstack/tripleo-ansible ussuri-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-21: Fix included in openstack/tripleo-ansible 2.6.0

#13

This issue was fixed in the openstack/tripleo-ansible 2.6.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-06: Fix included in openstack/tripleo-ansible train-eol

#14

This issue was fixed in the openstack/tripleo-ansible train-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.