| Summary: | Packstack provisions quantum firewall rules on the wrong host | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Lars Kellogg-Stedman <lars> |
| Component: | openstack-packstack | Assignee: | Ivan Chavero <ichavero> |
| Status: | CLOSED ERRATA | QA Contact: | Ofer Blaut <oblaut> |
| Severity: | high | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 3.0 | CC: | aortega, derekh, hateya, ichavero, mlopes, mmagr, oblaut, yeylon |
| Target Milestone: | beta | ||
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | network | ||
| Fixed In Version: | openstack-packstack-2013.2.1-0.8.dev835.el6ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-20 00:32:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I ran into this same issue with a havana RDO packstack install. This breaks multi-node installs completely, and should be fixed in the next async releases for all versions of packstack that it effects. *** Bug 1023979 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |
Description of problem: Packstack does not provision the appropriate firewall rules to allow access to the Quantum API from other hosts. The quantum server listens on port 9696. Given a configuration file that includes: CONFIG_QUANTUM_SERVER_HOST=192.168.122.199 CONFIG_NOVA_COMPUTE_HOSTS=192.168.122.76 On 192.168.122.199, after a successful server install, I see: # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited But on 192.168.122.76, the compute host, I see: # iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 192.168.122.34/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming 192.168.122.34" -j ACCEPT -A INPUT -s 192.168.122.199/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 quantum incoming 192.168.122.199" -j ACCEPT -A INPUT -s 192.168.122.76/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 quantum incoming 192.168.122.76" -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited The quantum firewall rules appear to be provisioned on the wrong host. And indeed, in manifests/192.168.122.76_quantum.pp I see: # Create firewall rules to allow only the hosts that need to connect # to quantum $hosts = [ '192.168.122.199','192.168.122.76' ] define add_allow_host { firewall { "001 quantum incoming ${title}": proto => 'tcp', dport => ['9696'], action => 'accept', source => $title, } } add_allow_host { $hosts:} This should be in manifests/192.168.122.199_quantum.pp. Version-Release number of selected component (if applicable): openstack-packstack-2013.1.1-0.33.dev695.el6ost.noarch