tripleo

haproxy template tasks to apply IPTables rules are no ops

Bug #1961799 reported by Brent Eagles on 2022-02-22

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Takashi Kajinami

Bug Description

There are tasks named "Run puppet to the host to apply IPtables rules" in haproxy-pacemaker-puppet.yaml and haproxy-container-puppet.yaml that appear to be ineffective. We set tripleo::firewall::manage_firewall to false in tripleo-firewall-baremetal-ansible.yaml so this would turn off any haproxy firewall management.

It's not entirely clear that this was intended. It is sensible that we disable firewall management for service definitions and use ansible to do the work there, but haproxy might present other ports on the public network that are distinct from the rules defined on the internal API network. I think this also ends up imposing the limitation that anything requiring an haproxy endpoint must also be deployed to haproxy host.

Tags:

Brent Eagles (beagles) on 2022-02-22

Changed in tripleo:
importance:	Undecided → Medium
importance:	Medium → Undecided

Revision history for this message

Michele Baldessari (michele) wrote on 2022-03-01:

That likely means that composable HA (i.e. spinning up separate haproxy nodes) is broken.

E.g. if you have three haproxy nodes and three DB nodes, the firewall port for mysql on the haproxy nodes would not be open, which would be incorrect.

See also:
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/768792

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2022-03-01:

I second the observation by Michele and currently deployment with separate haproxy is broken.

The reason why I abandoned the change was that there are still some amount of work left to implement firewall rules for frontend load balancers, which is currently broken :-(

Revision history for this message

Damien Ciabrini (dciabrin) wrote on 2022-03-01:

I had a quick chat with Michele since I'm not familiar with firewall setup, and the problem with disabling puppet firewall was at the time that it would break composable HA.

I am going to deploy composable HA locally with master to check whether this still works and how puppet firewall vs ansible firewall mixes together.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-02: Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/831547

OpenStack Infra (hudson-openstack) on 2022-03-17

Changed in tripleo:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-28: Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/831547
Committed: https://opendev.org/openstack/tripleo-ansible/commit/f2760f5de319c07b233ea6821ef366601e557558
Submitter: "Zuul (22348)"
Branch: master

commit f2760f5de319c07b233ea6821ef366601e557558
Author: Takashi Kajinami <email address hidden>
Date: Thu Mar 3 00:16:19 2022 +0900

tripleo_firewall: Allow injecting frontend rules

This change introduces new variables to define the firewall rules for
haproxy frontend.

    When an API service is enabled, we should add proper firewall rule not
    only in the node where the API service is running, but also in
    the loadbalancer node where haproxy is running, otherwise the frontend
    port in haproxy is not accessible.

The new variables are used once [1] is merged.

[1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/831549

Related-Bug: #1961799
Change-Id: I9d79df8a8d0eaf77166b296178b9b0622263998d

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-28: Related fix proposed to tripleo-ansible (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/839738

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-28: Fix proposed to tripleo-heat-templates (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/839789

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-29: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/831549
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/a3dd02377394c6fab4a556f0c666a04755fa905c
Submitter: "Zuul (22348)"
Branch: master

commit a3dd02377394c6fab4a556f0c666a04755fa905c
Author: Takashi Kajinami <email address hidden>
Date: Thu Mar 3 00:47:10 2022 +0900

Define frontend firewall rules separately

    This change ensures that firewall rules for haproxy endpoints are
    enabled properly even when haproxy and api services are running in
    different nodes.

    With this change, firewall rule for ssl endpoints are removed from base
    firewall rules because these ports are used by haproxy and not used by
    api services.

    Also, the adhoc implementation to run firewall configurations first is
    refactored by the new host_firewall_tasks key. This allows us to
    implement tasks to configure firewall in the corresponding resource
    template.

    Closes-Bug: #1961799
    Depends-on: https://review.opendev.org/831547
    Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-12: Related fix proposed to tripleo-heat-templates (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/841580

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-13: Related fix merged to tripleo-ansible (stable/wallaby)

#10

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/839738
Committed: https://opendev.org/openstack/tripleo-ansible/commit/3267287fab46c838a3c1b851cd8446a2c6fde0cb
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 3267287fab46c838a3c1b851cd8446a2c6fde0cb
Author: Takashi Kajinami <email address hidden>
Date: Thu Mar 3 00:16:19 2022 +0900

tripleo_firewall: Allow injecting frontend rules

This change introduces new variables to define the firewall rules for
haproxy frontend.

The new variables are used once [1] is merged.

[1] https://review.opendev.org/c/openstack/tripleo-heat-templates/+/831549

    Related-Bug: #1961799
    Change-Id: I9d79df8a8d0eaf77166b296178b9b0622263998d
    (cherry picked from commit f2760f5de319c07b233ea6821ef366601e557558)

tags:

added: in-stable-wallaby

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-23: Fix merged to tripleo-heat-templates (stable/wallaby)

#11

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/839789
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/5b452cd2ab914ffcbfb7498fecd13088cd7015b5
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 5b452cd2ab914ffcbfb7498fecd13088cd7015b5
Author: Takashi Kajinami <email address hidden>
Date: Thu Mar 3 00:47:10 2022 +0900

Define frontend firewall rules separately

    This change ensures that firewall rules for haproxy endpoints are
    enabled properly even when haproxy and api services are running in
    different nodes.

    With this change, firewall rule for ssl endpoints are removed from base
    firewall rules because these ports are used by haproxy and not used by
    api services.

Conflicts:
deployment/tripleo-firewall/tripleo-firewall-baremetal-ansible.yaml

    Closes-Bug: #1961799
    Depends-on: https://review.opendev.org/839738
    Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
    (cherry picked from commit a3dd02377394c6fab4a556f0c666a04755fa905c)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-25: Related fix proposed to tripleo-heat-templates (stable/wallaby)

#12

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/843201

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-26: Related fix merged to tripleo-heat-templates (master)

#13

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/841580
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/d8d59c2cb5196c7f2367a8154a27b5371f1bd211
Submitter: "Zuul (22348)"
Branch: master

commit d8d59c2cb5196c7f2367a8154a27b5371f1bd211
Author: Takashi Kajinami <email address hidden>
Date: Thu May 12 20:58:46 2022 +0900

Horizon: Fix missing firewall rule for ssl backend

When internal tls is enabled, Horizon uses a different port (tcp/443
instead of tcp/80).

Related-Bug: #1961799
Change-Id: I8c2808f0d4ee969315f0dee3cd75b850e4a94fab

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-19: Related fix merged to tripleo-heat-templates (stable/wallaby)

#14

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/843201
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/4f55f6405186f78670040de03c534f066b4a6806
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 4f55f6405186f78670040de03c534f066b4a6806
Author: Takashi Kajinami <email address hidden>
Date: Thu May 12 20:58:46 2022 +0900

Horizon: Fix missing firewall rule for ssl backend

When internal tls is enabled, Horizon uses a different port (tcp/443
instead of tcp/80).

    Related-Bug: #1961799
    Change-Id: I8c2808f0d4ee969315f0dee3cd75b850e4a94fab
    (cherry picked from commit d8d59c2cb5196c7f2367a8154a27b5371f1bd211)