Compute deployment fails: Iptables-firewall module cannot prefetch openstack firewall rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
Fix Released
|
Critical
|
Dmitry Ilyin | ||
4.1.x |
Fix Committed
|
Critical
|
Fuel Library (Deprecated) |
Bug Description
Compute redeployment fails if we want to run puppet on the compute node already running virtual machines.
This seems to be due to our puppet iptables module is unable to parse openstack rules for VMs:
Error: Could not prefetch firewall provider 'iptables': undefined method `[]' for nil:NilClass
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/etc/puppet/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/bin/puppet:4
-A INPUT -j neutron-
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p icmp -m comment --comment "000 accept all icmp requests" -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT
-A INPUT -m comment --comment "002 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.20.0.2/32 -p tcp -m multiport --sports 4369,5672,
-A INPUT -p tcp -m multiport --sports 8140 -m comment --comment "004 remote puppet " -j ACCEPT
-A INPUT -p tcp -m multiport --ports 22 -m comment --comment "020 ssh" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 80,443 -m comment --comment "100 http" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3306,3307,4567,4568 -m comment --comment "101 mysql" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 5000,35357 -m comment --comment "102 keystone" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 8080,6000,6001,6002 -m comment --comment "103 swift" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 9292,9191,8773 -m comment --comment "104 glance" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 8774,8775,8776,6080 -m comment --comment "105 nova " -j ACCEPT
-A INPUT -p tcp -m multiport --ports 4369,5672,
-A INPUT -p tcp -m multiport --ports 11211 -m comment --comment "107 memcached tcp" -j ACCEPT
-A INPUT -p udp -m multiport --ports 11211 -m comment --comment "107 memcached udp" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 873 -m comment --comment "108 rsync" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 3260 -m comment --comment "109 iscsi " -j ACCEPT
-A INPUT -p tcp -m multiport --ports 9696 -m comment --comment "110 neutron " -j ACCEPT
-A INPUT -p udp -m multiport --ports 67 -m comment --comment "111 dhcp-server" -j ACCEPT
-A INPUT -p udp -m multiport --ports 53 -m comment --comment "111 dns-server" -j ACCEPT
-A INPUT -p udp -m multiport --ports 123 -m comment --comment "112 ntp-server" -j ACCEPT
-A INPUT -p udp -m multiport --ports 5404 -m comment --comment "113 corosync-input" -j ACCEPT
-A INPUT -p udp -m multiport --ports 5405 -m comment --comment "114 corosync-output" -j ACCEPT
-A INPUT -p udp -m multiport --ports 58882 -m comment --comment "115 openvswitch db" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 5666 -m comment --comment "116 nrpe-server" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 16509 -m comment --comment "117 libvirt" -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m multiport --ports 5900:6100 -m comment --comment "118 vnc ports" -j ACCEPT
-A INPUT -p tcp -m multiport --ports 8777 -m comment --comment "119 ceilometer" -j ACCEPT
-A INPUT -p tcp -m comment --comment "999 drop all other requests" -j DROP
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-
-A neutron-filter-top -j neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
-A neutron-
tags: |
added: backports release-notes removed: low-hanging-fruit |
Changed in fuel: | |
assignee: | Fuel Library Team (fuel-library) → Dmitry Ilyin (idv1985) |
Changed in fuel: | |
status: | Confirmed → In Progress |
Changed in fuel: | |
status: | In Progress → Fix Committed |
If you run firewall module tests, you could see there are plenty of failures (probably because of bad regexes) pastebin. com/8WHTChnQ
http://
I hope some of them (confine, ipv6) could be safely ignored, while others should be addressed.