tripleo

Mysql/Rabbit/Redis/Horizon roles cannot be decoupled from haproxy due to missing firewall

Bug #1654280 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Michele Baldessari
tripleo ocata-3 "ocata-3"

Bug Description

While testing the composable HA work, I noticed the following:
When we split mysql out to a dedicated node there is no 3306 open port on the controllers where haproxy is running.

The reason for this is because the mysql/rabbit/redis haproxy endpoint configuration (done here https://github.com/openstack/puppet-tripleo/blob/master/manifests/haproxy.pp) does not use the ::tripleo::haproxy::endpoint function which automagically also creates a firewall rule to allow the traffic for haproxy.

Michele Baldessari (michele)
Changed in tripleo:
assignee: nobody → Michele Baldessari (michele)
Michele Baldessari (michele)
summary: - Mysql/Rabbit/Redis roles cannot be decoupled from haproxy due to missing
- firewall
+ Mysql/Rabbit/Redis/Horizon roles cannot be decoupled from haproxy due to
+ missing firewall
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/417164

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/417164
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=8eb99b868b71909132c6fc43d0d18940cc7ea9a1
Submitter: Jenkins
Branch: master

commit 8eb99b868b71909132c6fc43d0d18940cc7ea9a1
Author: Michele Baldessari <email address hidden>
Date: Thu Jan 5 20:27:46 2017 +0100

    Add haproxy firewall rules for galera and redis

    This change adds haproxy rules for galera and redis. They are not there
    because these haproxy entries do not use the ::tripleo::haproxy::endpoint
    function which does this automatically.

    Rabbit does not need them because it does not go through haproxy.

    Closes-Bug: #1654280
    Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 6.2.0

This issue was fixed in the openstack/puppet-tripleo 6.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.