Fuel for OpenStack

[library] bootstrap_admin_node.sh doesn't change iptables rules.

Bug #1331807 reported by Denis Ipatov on 2014-06-18

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	High	Matthew Mosesohn	Fuel for OpenStack 5.1

Bug Description

If I try to change PXE network vi bootstrap_admin_node.sh IP address is changed, but I have problem with iptables rules:

The first IP address Fuel node was 10.0.10.2. I want to change it on 10.0.20.2.After the script finishes I get the following:

[root@fuel ~]# iptables-save | grep 10.
:FORWARD ACCEPT [13938957:12454071083]
-A FORWARD -d 172.17.0.10/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 172.17.0.10/32 ! -i docker0 -o docker0 -p udp -m udp --dport 69 -j ACCEPT
-A FORWARD -d 172.17.0.10/32 ! -i docker0 -o docker0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -d 172.17.0.10/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
:POSTROUTING ACCEPT [18:1080]
-A POSTROUTING -s 10.0.20.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.10.0/24 -p tcp -m tcp --dport 8080 -j ACCEPT
-A POSTROUTING -s 10.0.10.0/24 -p tcp -m tcp --dport 8000 -j ACCEPT
-A POSTROUTING -s 10.0.10.0/24 -p udp -m udp --dport 514 -j ACCEPT
-A POSTROUTING -s 10.0.10.0/24 -p tcp -m tcp --dport 514 -j ACCEPT
-A POSTROUTING -s 10.0.10.0/24 -j MASQUERADE
-A DOCKER -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.10:443
-A DOCKER -p udp -m udp --dport 53 -j DNAT --to-destination 172.17.0.10:53
-A DOCKER -p udp -m udp --dport 69 -j DNAT --to-destination 172.17.0.10:69
-A DOCKER -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.10:80

[root@fuel ~]# ip a| grep 10.
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 10.0.20.2/24 brd 10.0.20.255 scope global eth0

Tags:

Nastya Urlapova (aurlapova) on 2014-06-18

Changed in fuel:
importance:	Undecided → Medium
assignee:	nobody → Fuel Library Team (fuel-library)
milestone:	none → 5.1

Denis Ipatov (dipatov) on 2014-06-19

tags:

added: customer-found

Sergii Golovatiuk (sgolovatiuk) on 2014-06-24

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Matthew Mosesohn (raytrac3r)

Matthew Mosesohn (raytrac3r) on 2014-06-24

Changed in fuel:
status:	New → Triaged

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2014-06-27:

Denis, modifying admin network after deployment is a bit more complex. It looks like the best way to manage this is via Puppet and using a comment identifier to manage these rules. It shouldn't be so difficult to modify these rules manually for a current deployment, but to do it automatically is a little more tricky. I will try to submit a proper patch next week.

Dmitry Ilyin (idv1985) on 2014-07-15

summary:

- bootstrap_admin_node.sh doesn't change iptables rules.
+ [library] bootstrap_admin_node.sh doesn't change iptables rules.

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2014-07-16:

To fix this requires adding a comment to each of these custom iptables rules set by dockerctl so we can purge them later easily. We can purge these automatically on shutdown, but there are no hooks to follow on shutdown of container that make this easier.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-17: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/107669

Changed in fuel:
status:	Triaged → In Progress

Vladimir Kuklin (vkuklin) on 2014-07-24

Changed in fuel:
importance:	Medium → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-30: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/107669
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=6c040b2490977c63a50ad0a3f07575d84fe1e04e
Submitter: Jenkins
Branch: master

commit 6c040b2490977c63a50ad0a3f07575d84fe1e04e
Author: Matthew Mosesohn <email address hidden>
Date: Thu Jul 17 15:55:34 2014 +0400

Clean up iptables rules when starting containers

    Purges iptables rules generated by dockerctl and
    by docker itself when a container is started. It
    drops existing rules created from dockerctl,
    identified by comment and docker forwarding rules
    based on IP address matching.

Closes-Bug: #1331807

Change-Id: I9c803d6dbeb8a341b811acbaf36e9777d40df5cc

Changed in fuel:
status:	In Progress → Fix Committed

Anastasia Palkina (apalkina) on 2014-09-29

tags:

added: in progress

Anastasia Palkina (apalkina) on 2014-09-30

tags:

removed: in progress

Andrey Sledzinskiy (asledzinskiy) on 2014-09-30

tags:

added: in progress

Andrey Sledzinskiy (asledzinskiy) on 2014-09-30

tags:

removed: in progress

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.