Bug 1111640

Summary: packstack should open Tunnel ports VXLAN and GRE
Product: Red Hat OpenStack Reporter: Scott Lewis <sclewis>
Component: openstack-packstackAssignee: Martin Magr <mmagr>
Status: CLOSED ERRATA QA Contact: yfried
Severity: medium Docs Contact:
Priority: high    
Version: 4.0CC: aortega, derekh, ichavero, lars, lbezdick, lpeer, mburns, mmagr, nyechiel, oblaut, tfreger, yeylon
Target Milestone: z5Keywords: ZStream
Target Release: 4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2013.2.1-0.32.dev1040.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1100993 Environment:
Last Closed: 2014-10-22 17:17:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1100993    
Bug Blocks:    

Comment 2 yfried 2014-10-12 11:15:45 UTC 
I'm looking at the iptables and I can't see the dport=4789 or the protocol=47 rules.
Am I missing anything?

gre:
[root@puma43 ~(keystone_admin)]# iptables -nL 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.35.160.167       tcp dpt:8775 

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0           


vxlan: 
[root@nmagnezi-os-cont1 ~(keystone_admin)]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  10.35.160.23         0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.160.23 */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.160.27 */
ACCEPT     tcp  --  10.35.161.235        0.0.0.0/0            multiport dports 5671,5672 /* 001 amqp incoming amqp_10.35.161.235 */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 3260 /* 001 cinder incoming cinder_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 3260 /* 001 cinder incoming cinder_10.35.160.27 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8776 /* 001 cinder-api incoming cinder_API */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292 /* 001 glance incoming glance_API */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8004 /* 001 heat incoming heat */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80 /* 001 horizon 80  incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,35357 /* 001 keystone incoming keystone */
ACCEPT     tcp  --  10.35.160.23         0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.160.23 */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.160.27 */
ACCEPT     tcp  --  10.35.161.235        0.0.0.0/0            multiport dports 3306 /* 001 mysql incoming mysql_10.35.161.235 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696 /* 001 neutron server incoming neutron_server_10.35.161.235 */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8773,8774,8775 /* 001 nova api incoming nova_api */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080 /* 001 novncproxy incoming */
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080 /* 001 swift proxy incoming swift_proxy */
ACCEPT     tcp  --  10.35.160.25         0.0.0.0/0            multiport dports 6000,6001,6002,873 /* 001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.25 */
ACCEPT     tcp  --  10.35.160.27         0.0.0.0/0            multiport dports 6000,6001,6002,873 /* 001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.27 */
ACCEPT     tcp  --  10.35.161.235        0.0.0.0/0            multiport dports 6000,6001,6002,873 /* 001 swift storage and rsync incoming swift_storage_and_rsync_10.35.161.235 */
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
nova-filter-top  all  --  0.0.0.0/0            0.0.0.0/0           
nova-api-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination         

Chain nova-api-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            10.35.161.235        tcp dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination         

Chain nova-api-local (1 references)
target     prot opt source               destination         

Chain nova-filter-top (2 references)
target     prot opt source               destination         
nova-api-local  all  --  0.0.0.0/0            0.0.0.0/0
Comment 3 yfried 2014-10-13 13:15:41 UTC 
please ignore previous comment, turns out rules aren't created for AIO.
will reverify this later
Comment 4 yfried 2014-10-14 14:35:39 UTC 
rules are created for gre and vxlan but only if setup is not AIO
Comment 7 errata-xmlrpc 2014-10-22 17:17:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1691.html