Bug 1227760
Summary: | Overcloud: The firewall is not being set on the overcloud nodes. | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Leonid Natapov <lnatapov> |
Component: | openstack-tripleo-heat-templates | Assignee: | James Slagle <jslagle> |
Status: | CLOSED ERRATA | QA Contact: | Gurenko Alex <agurenko> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | Director | CC: | ahrechan, hbrock, jcoufal, mburns, nkinder, nlevinki, oblaut, racedoro, rcritten, rduartes, rhel-osp-director-maint, skinjo, tvignaud |
Target Milestone: | beta | Keywords: | TestOnly, Triaged |
Target Release: | 12.0 (Pike) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-13 20:33:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Leonid Natapov
2015-06-03 12:44:41 UTC
For reference, here is the output in OSP 10 (controller node): [heat-admin@controller-0 ~]$ sudo iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8042 /* 100 aodh_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13042 /* 100 aodh_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8777 /* 100 ceilometer_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13777 /* 100 ceilometer_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8776 /* 100 cinder_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13776 /* 100 cinder_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9292 /* 100 glance_api_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13292 /* 100 glance_api_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9191 /* 100 glance_registry_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* 100 glance_registry_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8041 /* 100 gnocchi_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13041 /* 100 gnocchi_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8004 /* 100 heat_api_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13004 /* 100 heat_api_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8000 /* 100 heat_cfn_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13005 /* 100 heat_cfn_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8003 /* 100 heat_cloudwatch_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13003 /* 100 heat_cloudwatch_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 35357 /* 100 keystone_admin_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13357 /* 100 keystone_admin_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5000 /* 100 keystone_public_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13000 /* 100 keystone_public_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9696 /* 100 neutron_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13696 /* 100 neutron_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8775 /* 100 nova_metadata_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 /* 100 nova_metadata_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6080 /* 100 nova_novncproxy_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13080 /* 100 nova_novncproxy_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8774 /* 100 nova_osapi_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13774 /* 100 nova_osapi_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8386 /* 100 sahara_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13386 /* 100 sahara_haproxy_ssl */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080 /* 100 swift_proxy_server_haproxy */ state NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13808 /* 100 swift_proxy_server_haproxy_ssl */ state NEW Chain FORWARD (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-api-FORWARD (1 references) target prot opt source destination Chain nova-api-INPUT (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 10.0.0.110 tcp dpt:8775 Chain nova-api-OUTPUT (1 references) target prot opt source destination Chain nova-api-local (1 references) target prot opt source destination Chain nova-filter-top (2 references) target prot opt source destination nova-api-local all -- 0.0.0.0/0 0.0.0.0/0 QA: verify that there is a default drop all rule in the INPUT chain. all traffic that does not match an earlier explicit rule should be dropped by the drop all rule. puppet-tripleo-7.4.3-0.20171025110206.el7ost.noarch on controller-0 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW /* 001 accept all icmp ipv4 */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW /* 002 accept all to lo interface ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 state NEW /* 003 accept ssh ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8042 state NEW /* 100 aodh_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13042 state NEW /* 100 aodh_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8776 state NEW /* 100 cinder_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13776 state NEW /* 100 cinder_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9292 state NEW /* 100 glance_api_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13292 state NEW /* 100 glance_api_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8041 state NEW /* 100 gnocchi_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13041 state NEW /* 100 gnocchi_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8004 state NEW /* 100 heat_api_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13004 state NEW /* 100 heat_api_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8000 state NEW /* 100 heat_cfn_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13005 state NEW /* 100 heat_cfn_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 35357 state NEW /* 100 keystone_admin_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5000 state NEW /* 100 keystone_public_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13000 state NEW /* 100 keystone_public_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306 state NEW /* 100 mysql_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9696 state NEW /* 100 neutron_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13696 state NEW /* 100 neutron_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8775 state NEW /* 100 nova_metadata_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6080 state NEW /* 100 nova_novncproxy_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13080 state NEW /* 100 nova_novncproxy_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8774 state NEW /* 100 nova_osapi_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13774 state NEW /* 100 nova_osapi_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8778 state NEW /* 100 nova_placement_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13778 state NEW /* 100 nova_placement_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8977 state NEW /* 100 panko_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13977 state NEW /* 100 panko_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6379 state NEW /* 100 redis_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080 state NEW /* 100 swift_proxy_server_haproxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 13808 state NEW /* 100 swift_proxy_server_haproxy_ssl ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 873,3123,3306,4444,4567,4568,9200 state NEW /* 104 mysql galera-bundle ipv4 */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 123 state NEW /* 105 ntp ipv4 */ ACCEPT 112 -- 0.0.0.0/0 0.0.0.0/0 state NEW /* 106 neutron_l3 vrrp ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 1993 state NEW /* 107 haproxy stats ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3124,6379,26379 state NEW /* 108 redis-bundle ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3122,4369,5672,25672 state NEW /* 109 rabbitmq-bundle ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5000,13000,35357,13357 state NEW /* 111 keystone ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9292,13292 state NEW /* 112 glance_api ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8773,3773,8774,13774,8775 state NEW /* 113 nova_api ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9696,13696 state NEW /* 114 neutron api ipv4 */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 67 state NEW /* 115 neutron dhcp input ipv4 */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 4789 state NEW /* 118 neutron vxlan networks ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8776,13776 state NEW /* 119 cinder ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3260 state NEW /* 120 iscsi initiator ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 11211 state NEW /* 121 memcached ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8080,13808 state NEW /* 122 swift proxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 873,6000,6001,6002 state NEW /* 123 swift storage ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8004,13004 state NEW /* 125 heat_api ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8000,13800 state NEW /* 125 heat_cfn ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 state NEW /* 127 horizon ipv4 */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 161 state NEW /* 127 snmp ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8042,13042 state NEW /* 128 aodh-api ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8041,13041 state NEW /* 129 gnocchi-api ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 2224,3121,21064 state NEW /* 130 pacemaker tcp ipv4 */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5405 state NEW /* 131 pacemaker udp ipv4 */ ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 /* 136 neutron gre networks ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6080,13080 state NEW /* 137 nova_vnc_proxy ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8778,13778 state NEW /* 138 nova_placement ipv4 */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8125 state NEW /* 140 gnocchi-statsd ipv4 */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8977,13977 state NEW /* 140 panko-api ipv4 */ LOG all -- 0.0.0.0/0 0.0.0.0/0 state NEW /* 998 log all ipv4 */ LOG flags 0 level 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW /* 999 drop all ipv4 */ Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 68 state NEW /* 116 neutron dhcp output ipv4 */ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462 |