haproxy template tasks to apply IPTables rules are no ops
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
High
|
Takashi Kajinami |
Bug Description
There are tasks named "Run puppet to the host to apply IPtables rules" in haproxy-
It's not entirely clear that this was intended. It is sensible that we disable firewall management for service definitions and use ansible to do the work there, but haproxy might present other ports on the public network that are distinct from the rules defined on the internal API network. I think this also ends up imposing the limitation that anything requiring an haproxy endpoint must also be deployed to haproxy host.
Changed in tripleo: | |
importance: | Undecided → Medium |
importance: | Medium → Undecided |
Changed in tripleo: | |
status: | New → In Progress |
Changed in tripleo: | |
assignee: | nobody → Takashi Kajinami (kajinamit) |
importance: | Undecided → High |
That likely means that composable HA (i.e. spinning up separate haproxy nodes) is broken.
E.g. if you have three haproxy nodes and three DB nodes, the firewall port for mysql on the haproxy nodes would not be open, which would be incorrect.
See also: /review. opendev. org/c/openstack /tripleo- heat-templates/ +/768792
https:/