Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1286756

Summary: multiple ports not allowed in undercloud firewall
Product: Red Hat OpenStack Reporter: Ronnie Rasouli <rrasouli>
Component: instack-undercloudAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: yeylon <yeylon>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: athomas, bnemec, dmacpher, jslagle, kbasil, mburns, mcornea, morazi, rhel-osp-director-maint, sasha, srevivo
Target Milestone: y3   
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-2.1.2-37.el7ost Doc Type: Bug Fix
Doc Text:
This firewall configuration for the Undercloud lacked certain ports, which resulted in dropped packets for Internal API messages. This fix adds the missing ports (13000, 13774, 13696, 13385, 13292, 13696, 13004, 13080, 13385) to the Undercloud's firewall rules. The Internal API now accepts messages on these ports.
 Story Points: ---
Clone Of:
: 1286769 1286773 1299079 (view as bug list) Environment:
Last Closed: 2016-02-18 16:47:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1286769, 1286773, 1299079    

Description Ronnie Rasouli 2015-11-30 16:32:21 UTC 
Description of problem:
Missing 13000 port on firewall and iptables list
Causing packets to be dropped for internal API messages 

root@bldr15cb10:~#  cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

curl -O https://192.0.2.2:13000/v2.0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed connect to 192.0.2.2:13000; No route to host

Version-Release number of selected component (if applicable):


How reproducible:
Always reproduced

Steps to Reproduce:
1.
2.
3.

Actual results:

Dropped packets with ports different than 5000

Expected results:


Additional info:

WORKAROUND: sudo iptables -I INPUT -p tcp -m tcp --dport 13000 -j ACCEPT
Comment 2 Ronnie Rasouli 2015-11-30 16:54:17 UTC 
port 13000 is keystone's public endpoint port when deploying the undercloud with ssl
Comment 3 Ronnie Rasouli 2015-11-30 17:27:50 UTC 
Consolidating the missing ports:

    13000, 13774, 13696, 13385, 13292, 13696, 13004, 13080, 13385
keystone endpoint-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
+----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+
|                id                |   region  |                   publicurl                   |                 internalurl                 |                adminurl                |            service_id            |
+----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+
| 0e6dbff43c0f43b39c9ea606bb612e74 | regionOne |            https://192.0.2.2:13292/           |            http://192.0.2.1:9292/           |         http://192.0.2.1:9292/         | 8f3d68c651e64abcacff939cc3e77245 |
| 23a01b9d81e24e44b255f481d59617d4 | regionOne |            http://192.0.2.2:8585/v2           |           http://192.0.2.1:8585/v2          |        http://192.0.2.1:8585/v2        | dfd27b8e912949c4b0946330883d55b8 |
| 2bb46bd274fa41ef88e5e42af7d69432 | regionOne |             http://192.0.2.2:8777/            |            http://192.0.2.1:8777/           |         http://192.0.2.1:8777/         | 4e228453b4bd41b2b9a8b6acf63e3197 |
| 4555589b38504792b251d23ad08a6f55 | regionOne |          https://192.0.2.2:13000/v2.0         |          http://192.0.2.1:5000/v2.0         |      http://192.0.2.1:35357/v2.0       | fa911f9b55284df789ce6edd3cbba2c2 |
| a0797448a50e4317a667c1926a10100a | regionOne | https://192.0.2.2:13080/v1/AUTH_%(tenant_id)s | http://192.0.2.1:8080/v1/AUTH_%(tenant_id)s |        http://192.0.2.1:8080/v1        | 96f2665eec6942908942d708728ce140 |
| a684c541b0d84c468309f4ba05fc2295 | regionOne |            https://192.0.2.2:13696/           |            http://192.0.2.1:9696/           |         http://192.0.2.1:9696/         | 43b0c0a9c63a4058a578b917b7a9c09a |
| d830525addd346558a10cccf0b2d1e40 | regionOne |    https://192.0.2.2:13004/v1/%(tenant_id)s   |    http://192.0.2.1:8004/v1/%(tenant_id)s   | http://192.0.2.1:8004/v1/%(tenant_id)s | 734b8fd4d1404a4f885ebff96cb71b3a |
| de3e8f33c9e045ca96b995982c1d2b56 | regionOne |           https://192.0.2.2:13774/v3          |           http://192.0.2.1:8774/v3          |        http://192.0.2.1:8774/v3        | a8875b4558b44cdf97a3744a57592974 |
| e87a1703f9134ee49f1ccf5267397953 | regionOne |            https://192.0.2.2:13385/           |            http://192.0.2.1:6385/           |         http://192.0.2.1:6385/         | 5cdcaa87ec034c9e920f0745b2dedfa0 |
| f3248a8f46ff4ed0bb93371ce3b8e1ee | regionOne |    https://192.0.2.2:13774/v2/$(tenant_id)s   |    http://192.0.2.1:8774/v2/$(tenant_id)s   | http://192.0.2.1:8774/v2/$(tenant_id)s | 203f0ab336cd4d8cbd2d7e3496085d07 |
+----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+

The current iptables firewall rules:

    -A INPUT -j nova-api-INPUT
    -A INPUT -j neutron-openvswi-INPUT
    -A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8000,8003,8004 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 6385 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9191 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9292 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 6080 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9696 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8773,8774,8775 -j ACCEPT
    -A INPUT -p udp -m udp --dport 69 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8585 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j nova-filter-top
    -A FORWARD -j nova-api-FORWARD
    -A FORWARD -j neutron-filter-top
    -A FORWARD -j neutron-openvswi-FORWARD
    -A FORWARD -d 192.168.122.0/24 -j ACCEPT
    -A FORWARD -d 192.0.2.0/24 -j ACCEPT
    -A OUTPUT -j nova-filter-top
    -A OUTPUT -j nova-api-OUTPUT
    -A OUTPUT -j neutron-filter-top
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A discovery -j ACCEPT
    -A neutron-filter-top -j neutron-openvswi-local
    -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
    -A nova-api-INPUT -d 192.0.2.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
Comment 4 Ronnie Rasouli 2015-11-30 17:29:40 UTC 
*** Bug 1286769 has been marked as a duplicate of this bug. ***
Comment 5 Ronnie Rasouli 2015-12-01 08:29:09 UTC 
WORKAROUND:
iptables -I INPUT -p tcp -m multiport --dports 13000,13774,13696,13385,13292,13696,13004,13080,13385 -j ACCEPT
Comment 7 Ronnie Rasouli 2016-01-17 09:37:39 UTC 
Verified on instack-undercloud-2.1.2-37.el7ost.noarch, undercloud in this build has added the missing ports to its iptables 

-A INPUT -i br-ctlplane -p udp -m udp --dport 67 -j discovery
-A INPUT -j nova-api-INPUT
-A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080,13808 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8000,8003,8004,13800,13003,13004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6385,13385 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9191 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292,13292 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080,13080 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696,13696 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357,13000,13357 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775,13773,13774,13775 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8585 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A FORWARD -d 192.168.122.0/24 -j ACCEPT
-A FORWARD -d 192.0.2.0/24 -j ACCEPT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A discovery -j ACCEPT
-A nova-api-INPUT -d 192.0.2.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
Comment 9 errata-xmlrpc 2016-02-18 16:47:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0264.html