Bug 1040610

Summary: ceilometer-api constrains access to the host on which the service is running
Product: Red Hat OpenStack Reporter: Jiri Stransky <jstransk>
Component: openstack-foreman-installerAssignee: Jiri Stransky <jstransk>
Status: CLOSED ERRATA QA Contact: Ami Jeain <ajeain>
Severity: high Docs Contact:
Priority: high    
Version: 4.0CC: acathrow, aortega, breeler, ckannan, cwolfe, derekh, eglynn, hateya, ichavero, jguiditt, mmagr, morazi, rhos-maint, sclewis, yeylon
Target Milestone: rcKeywords: OtherQA, Triaged, ZStream
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-foreman-installer-1.0.0-1.el6ost Doc Type: Known Issue
Doc Text:
Currently, a missing firewall rule for ceilometer-api causes ceilometer-api to only be accessible locally on a controller, not from other machines. Workaround: Open port 8777 in the firewall on the controller node(s). This will make ceilometer-api accessible from other machines.
 Story Points: ---
Clone Of: 1040404 Environment:
Last Closed: 2013-12-20 00:44:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1040404    
Bug Blocks:    

Comment 1 Jiri Stransky 2013-12-11 18:01:30 UTC 
Pull request upstream, not merged yet: https://github.com/redhat-openstack/astapor/pull/83
Comment 2 Jiri Stransky 2013-12-11 20:36:33 UTC 
Cause: Missing firewall rule for ceilometer-api.

Consequence: Ceilometer-api is only accessible locally on a controller, not from other machines.

Workaround (if any): Open port 8777 in firewall on controller node(s).

Result: Ceilometer-api will become accessible from other machines.
Comment 3 Jason Guiditta 2013-12-11 21:05:59 UTC 
merged upstream
Comment 4 Chandrasekar Kannan 2013-12-16 22:20:30 UTC 
qa_ack provided - OtherQA bug.
Comment 6 Crag Wolfe 2013-12-18 23:35:28 UTC 
Verfied that the controller node opens up port 8777 on a neutron controller node (same code applies to nova-network controller node).

Steps include assigning a host to the Controller (Neutron) Host Group in the Foreman UI, then running "puppet agent -t" from the host, then:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
nova-api-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            multiport dports http,https,iscsi-target,mysql,commplex-main,35357,amqp,8773,8774,8775,8776,8777,armtechdaemon,6080 /* 001 controller incoming */
...
Comment 9 errata-xmlrpc 2013-12-20 00:44:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html