Bug 1195258

Summary: Packstack doesn't set firewall so vxlan traffic can be received in multinode setup
Product: Red Hat OpenStack Reporter: Richard W.M. Jones <rjones>
Component: openstack-packstackAssignee: Lukas Bezdicka <lbezdick>
Status: CLOSED ERRATA QA Contact: Eran Kuris <ekuris>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aortega, apevec, dnavale, lbezdick, mschuppe, myllynen, nyechiel, sclewis, tfreger, yeylon
Target Milestone: z2Keywords: Regression, ZStream
Target Release: 6.0 (Juno)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost Doc Type: Bug Fix
Doc Text:
When using Packstack in a multi-node configuration, VXLAN ports (4789) on the firewall were not open for the other nodes. As a result, openvswitch did not function properly. With this update, this issue has been addressed by opening the port 4789 on all compute and network nodes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-07 15:10:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard W.M. Jones 2015-02-23 13:43:40 UTC 
Description of problem:

When using packstack in a multi-node configuration, VXLAN
ports (4789) on the firewall are not opened up for the other
nodes.  As a result, openvswitch doesn't function.

I have a 3 node setup with IP addresses:
10.16.184.117 (control)
10.16.184.118 (compute)
10.16.184.119 (compute)

On the control node:

# iptables -S | grep 4789
-A INPUT -s 10.16.184.117/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.16.184.117_10.16.184.117" -j ACCEPT

but there should be rules for .118 and .119 as well.

The compute nodes have the same single rule, but that's
probably correct, provided the compute nodes don't have to
talk to each other.

I should note there are many similar bugs, but all closed, so
this might be a regression:
bug 1021778 bug 1100993 bug 1111640 bug 1174001

Also SELinux is disabled.

Version-Release number of selected component (if applicable):

openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch

How reproducible:

100%

Steps to Reproduce:
1. Run packstack in a multi-node configuration.

Additional info:

May be worked around by adding the rules manually:

iptables -I INPUT 3 -s 10.16.184.118/32 -p udp -m multiport --dports 4789 -j ACCEPT
iptables -I INPUT 4 -s 10.16.184.119/32 -p udp -m multiport --dports 4789 -j ACCEPT
Comment 7 Eran Kuris 2015-03-15 09:18:59 UTC 
The bug was verified and it does not reproduced in the flowing version:
# rpm -qa |grep openstack-packstack
openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost.noarch
openstack-packstack-puppet-2014.2-0.17.dev1462.gbb05296.el7ost.noarch

I created multi-node environment and verified that iptables configured as expected and VM's in each node can access and communicate as well .
1. # iptables -S | grep 4789
-A INPUT -s 10.35.160.39/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.39_10.35.160.39" -j ACCEPT
-A INPUT -s 10.35.160.41/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.39_10.35.160.41" -j ACCEPT

2.VM1 in node 10.35.160.39 can access to VM2 in node 10.35.160.41 and vice versa. 
All VM's can full access to all network devices / components (DHCP & Router)
Comment 10 errata-xmlrpc 2015-04-07 15:10:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html