Bug 1073100
| Summary: | Packstack does not open iptables for horizon/client access to Neutron API | ||
|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Lars Kellogg-Stedman <lars> |
| Component: | openstack-packstack | Assignee: | RHOS Maint <rhos-maint> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ami Jeain <ajeain> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | aortega, derekh, mmagr, yeylon |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-packstack-2013.2.1-0.34.dev989.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-03-17 09:02:52 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Patch submitted upstream. |
I'm using packstack to install RDO Havana on a five-node cluster with the following members: - 10.15.0.3 compute0 - 10.15.0.4 compute1 - 10.15.0.7 storage0 - 10.15.0.5 storage1 - 10.15.0.6 controller - 10.15.0.2 network The system "network" runs neutron-server and neutron-*-agent; the system "controller" runs everything other than nova-compute, including Horizon. After packstack finishes, the iptables rules on "network" look like this: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N neutron-filter-top -N neutron-openvswi-FORWARD -N neutron-openvswi-INPUT -N neutron-openvswi-OUTPUT -N neutron-openvswi-local -N neutron-openvswi-sg-chain -N neutron-openvswi-sg-fallback -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j neutron-openvswi-INPUT -A INPUT -s 10.15.0.2/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.2" -j ACCEPT -A INPUT -s 10.15.0.3/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.3" -j ACCEPT -A INPUT -s 10.15.0.4/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.4" -j ACCEPT -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-sg-fallback -j DROP Note the three rules that permit access to the Neutron API on port 96969; there are rules for each of the compute nodes (.3 and .4) and for the local itself (.2), but there is no access permitted from "controller". This is a problem because both Horizon and the client tools expect to run from this host, and any proxy access by nova-api will *also* run through this host. Rules should permit access from at least: - CONFIG_HORIZON_HOST - CONFIG_OSCLIENT_HOST - CONFIG_NOVA_API_HOST