Bug 1215638

Summary: Packstack adds neutron tunnels iptables rules to the wrong interface (VXLAN / GRE)
Product: Red Hat OpenStack Reporter: Roey Dekel <rdekel>
Component: openstack-puppet-modulesAssignee: Martin Magr <mmagr>
Status: CLOSED ERRATA QA Contact: Roey Dekel <rdekel>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.0 (Juno)CC: aortega, ichavero, lbezdick, nyechiel, oblaut, pnavarro, yeylon, yfried
Target Milestone: gaKeywords: AutomationBlocker, Triaged
Target Release: 7.0 (Kilo)Flags: pm-rhel: automate_bug+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2015.1-0.3.dev1565.gd1211af.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1230010 (view as bug list) Environment:
Last Closed: 2015-08-05 13:22:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1230010, 1230022    
Attachments:
Description Flags
answer file used for packstack installation none

Description Roey Dekel 2015-04-27 11:21:29 UTC 
Created attachment 1019297 [details]
answer file used for packstack installation

Description of problem:
Packstack added wrong rules to iptables for neutron tunnel. The added rules were related to the network attached to CONFIG_NOVA_NETWORK_PUBIF and not to the network related to CONFIG_NEUTRON_OVS_TUNNEL_IF.

Version-Release number of selected component (if applicable):
openstack-neutron-2014.2.3-2.el7ost.noarch
openstack-packstack-2014.2-0.23.dev1468.gd049ea9.el7ost.noarch

How reproducible:

[root@controller ~(keystone_admin)]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:38:0d:0d brd ff:ff:ff:ff:ff:ff
    inet 10.35.187.57/23 brd 10.35.187.255 scope global dynamic eth0
       valid_lft 79754sec preferred_lft 79754sec
    inet6 fe80::f816:3eff:fe38:d0d/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:9a:f0:de brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f816:3eff:fe9a:f0de/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:f0:b7:49 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.19/24 brd 192.168.0.255 scope global dynamic eth2
       valid_lft 79754sec preferred_lft 79754sec
    inet6 fe80::f816:3eff:fef0:b749/64 scope link 
       valid_lft forever preferred_lft forever

[root@controller ~(keystone_admin)]# grep eth0 answer_file_current 
CONFIG_NOVA_NETWORK_PUBIF=eth0

[root@controller ~(keystone_admin)]# grep eth2 answer_file_current 
# linuxbridge plugin (eg. physnet1:eth1,physnet2:eth2,physnet3:eth3)
# openvswitch plugin (eg. physnet1:br-eth1,physnet2:br-eth2,physnet3
CONFIG_NEUTRON_OVS_TUNNEL_IF=eth2

[root@controller ~(keystone_admin)]# iptables -nL | grep neutron_tunnel
ACCEPT     udp  --  10.35.187.58         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.58 */
ACCEPT     udp  --  10.35.187.59         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.59 */
ACCEPT     udp  --  10.35.187.60         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.60 */
ACCEPT     udp  --  10.35.187.61         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.61 */

Steps to Reproduce:
1. Run packstack with attached answer-file
2. iptables -nL | grep neutron_tunnel

Actual results:
As described above - rules were added for wrong network, cause connection problems to VM's.

Expected results:
Rules added to tunnel related network.
Comment 10 Roey Dekel 2015-06-14 10:51:48 UTC 
Verified on Kilo with:

Version-Release number of selected component:
---------------------------------------------
Puddle: 2015-06-12.1
openstack-packstack-2015.1-0.3.dev1565.gd1211af.el7ost.noarch

Steps to Reproduce as described at Description.

Results:
--------
As expected:

[root@controller ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:0a:8c:1f brd ff:ff:ff:ff:ff:ff
    inet 10.35.186.60/23 brd 10.35.187.255 scope global dynamic eth0
       valid_lft 79443sec preferred_lft 79443sec
    inet6 fe80::f816:3eff:fe0a:8c1f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:09:5e:78 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f816:3eff:fe09:5e78/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:cf:cc:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.49/24 brd 192.168.0.255 scope global dynamic eth2
       valid_lft 79443sec preferred_lft 79443sec
    inet6 fe80::f816:3eff:fecf:cc1e/64 scope link 
       valid_lft forever preferred_lft forever

[root@controller ~]# iptables -nL | grep neutron_tunnel
ACCEPT     udp  --  192.168.0.50         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.61 */
ACCEPT     udp  --  192.168.0.51         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.62 */
ACCEPT     udp  --  192.168.0.52         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.63 */
ACCEPT     udp  --  192.168.0.53         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.64 */

Comments:
---------
Neutron tunnel udp ports were allowed on all hosts as expected.
Comment 11 Ivan Chavero 2015-06-18 19:31:58 UTC 
*** Bug 1188366 has been marked as a duplicate of this bug. ***
Comment 13 errata-xmlrpc 2015-08-05 13:22:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548