| Summary: | keystone iptables rule installed by packstack is more restrictive than rules for API services requiring a keystone token | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Eoghan Glynn <eglynn> |
| Component: | openstack-packstack | Assignee: | Francesco Vollero <fvollero> |
| Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.0 | CC: | ajeain, aortega, breeler, derekh, ichavero, mmagr, sgordon, yeylon |
| Target Milestone: | z1 | Keywords: | Triaged, ZStream |
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-packstack-2013.2.1-0.22.dev956.el6ost | Doc Type: | Known Issue |
| Doc Text: |
Currently, PackStack does not allow all hosts to access keystone. As a result, remote callers of various API services are unable to obtain a new token, preventing use of these API services from remote hosts.
As a workaround, execute the following commands on the controller host:
$ INDEX=$(sudo iptables -L | grep -A 20 'INPUT.*policy ACCEPT' | grep -- -- | grep -n keystone | cut -f1 -d:)
$ sudo iptables -I INPUT $INDEX -p tcp --dport 35357 -j ACCEPT
$ sudo service iptables save
After doing this the remote callers of API services work correctly.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-23 14:23:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Eoghan Glynn
2013-12-12 17:20:03 UTC
Francesco has been working on it. It seems that he hit some sort of issue with the firewall Puppet module. Verified NVR: openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch Tested as follows (Followed Comment #0): 1. Installed openstack via packstack on a single node. 2. Used additional node and installed the following packages: python-cinderclient python-neutronclient python-keystoneclient python-glanceclient python-swiftclient python-novaclient python-ceilometerclient python-heatclient In addition, Created a keystonerc file to source. 3. The following commands were tested OK: nova list ceilometer meter-list cinder list glance image-list neutron net-list keystone endpoint-list heat list Commands Used in Comment #0 nova --debug flavor-list ceilometer --debug meter-list Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-0046.html |