Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add ceph-mon service to osds hosts firewall #1419

Draft
wants to merge 1 commit into
base: stackhpc/2024.1
Choose a base branch
from
Draft

feat: add ceph-mon service to osds hosts firewall #1419

wants to merge 1 commit into from

Conversation

jackhodgkiss
Copy link
Contributor

Hosts that carry just OSDs appear to require ceph-mon service firewalls to ensure communication for Ceph MDS connectivity.

@jackhodgkiss jackhodgkiss added the bug Something isn't working label Dec 10, 2024
@jackhodgkiss jackhodgkiss self-assigned this Dec 10, 2024
@jackhodgkiss jackhodgkiss requested a review from a team as a code owner December 10, 2024 14:41
Alex-Welsh
Alex-Welsh previously approved these changes Dec 10, 2024
View reviewed changes
@Alex-Welsh
Copy link
Contributor

nit: Should probably have a release note

@jackhodgkiss jackhodgkiss force-pushed the firewall-ceph-mon-for-osds branch from 2df64ab to 29961cb Compare December 10, 2024 17:00
@jackhodgkiss
Copy link
Contributor Author

/cherry-pick stackhpc/2023.1

@jackhodgkiss jackhodgkiss force-pushed the firewall-ceph-mon-for-osds branch from 29961cb to c11d1f6 Compare December 10, 2024 17:02
@priteau
Copy link
Member

priteau commented Dec 10, 2024

/cherry-pick stackhpc/2023.1

Shouldn't you merge first?

@Alex-Welsh
Copy link
Contributor

Alex-Welsh commented Dec 10, 2024
edited
Loading

/cherry-pick stackhpc/2023.1

Shouldn't you merge first?

From the bot docs:

If you add/edit the comment on an unmerged pull request, it will not do anything immediately. When the pull request is merged, cherry-pick-bot will scan all the comments on the pull request, collect valid target branches to cherry-pick to, and then attempt to cherry-pick each one.

@jackhodgkiss
Copy link
Contributor Author

/cherry-pick stackhpc/2023.1

Shouldn't you merge first?

The cherry pick will only happen after this has merged. https://github.com/googleapis/repo-automation-bots/tree/main/packages/cherry-pick-bot#on-unmerged-pull-request

This way I can line up the cherry-pick now and not after it has merged.

Alex-Welsh
Alex-Welsh previously approved these changes Dec 10, 2024
View reviewed changes
@priteau
Copy link
Member

priteau commented Dec 10, 2024

This is odd behaviour, can you confirm that you see OSDs listening on ports 3300 or 6789?

@priteau
Copy link
Member

priteau commented Dec 10, 2024

It is also worth noting that the highest port number used by Ceph was increased in [1] but the firewalld service definition was not updated right away [2].

[1] ceph/ceph#42210
[2] firewalld/firewalld#1329

priteau
priteau requested changes Dec 10, 2024
View reviewed changes
releasenotes/notes/add-ceph-mon-firewall-to-osds-fc6233b3db6ade7a.yaml Outdated
---
features:
- |
Add `ceph-mon` as a `firewalld` service rule to hosts of `osds`.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use double backticks.

@jackhodgkiss
Copy link
Contributor Author

It is also worth noting that the highest port number used by Ceph was increased in [1] but the firewalld service definition was not updated right away [2].

[1] ceph/ceph#42210 [2] firewalld/firewalld#1329

I think maybe solution is a bit clouded and maybe the firewall change here is a redherring. I don't have any appetite to revert the change in the environment where the problem was observed.

It was certainly missing ceph service from the host and enabling the firewall without ceph-mon caused sssd within the slurm cluster to fail. Though things didn't properly return until after a reboot of NFS hosts.

I think this could be tested within virtualised environment to be sure if this is required at all. Will mark as draft for now.

@jackhodgkiss
Copy link
Contributor Author

This is odd behaviour, can you confirm that you see OSDs listening on ports 3300 or 6789?

Checked impacted hosts those ports are not in use.

@jackhodgkiss jackhodgkiss force-pushed the firewall-ceph-mon-for-osds branch from c11d1f6 to 431b9d6 Compare December 10, 2024 17:25
@jackhodgkiss jackhodgkiss marked this pull request as draft December 11, 2024 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@priteau priteau priteau requested changes

@Alex-Welsh Alex-Welsh Alex-Welsh left review comments

Requested changes must be addressed to merge this pull request.

Assignees

@jackhodgkiss jackhodgkiss

Labels
bug Something isn't working size: xs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jackhodgkiss @Alex-Welsh @priteau