Bug 1304441

Summary: Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: instack-undercloudAssignee: Emilien Macchi <emacchi>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: dbecker, dmacpher, emacchi, jslagle, mburns, morazi, rhel-osp-director-maint
Target Milestone: y3   
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-2.1.2-38.el7ost Doc Type: Bug Fix
Doc Text:
The Undercloud's firewall lacked a port for Ceilometer's Public API over SSL. This fix adds the port (13777) to the Undercloud's installation script. Now Ceilometer accepts Public API requests over SSL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-18 16:52:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marius Cornea 2016-02-03 15:57:29 UTC 
Description of problem:
Ceilometer public API SSL port is not allowed in the undercloud firewall.

Version-Release number of selected component (if applicable):
instack-undercloud-2.1.2-37.el7ost.noarch

How reproducible:
100%

Service: metering
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |      http://192.0.2.1:8777/      |
|      id     | 2c30baa37bc84927b1933b2cde907769 |
| internalURL |      http://192.0.2.1:8777/      |
|  publicURL  |     https://192.0.2.2:13777/     |
|    region   |            regionOne             |
+-------------+----------------------------------+

stack@instack:~>>> sudo iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
discovery  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-openvswi-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8777
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8779
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080,13808
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000,8003,8004,13800,13003,13004
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5672
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6385,13385
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9191
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292,13292
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:5999
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080,13080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696,13696
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,35357,13000,13357
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8773,8774,8775,13773,13774,13775
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:69
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8088
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8585
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5050
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

To add it:

# sudo iptables -I INPUT -p tcp -m tcp --dport 13777 -j ACCEPT
Comment 2 Marius Cornea 2016-02-16 18:24:55 UTC 
instack-undercloud-2.1.2-39.el7ost.noarch

[stack@instack ~]$ sudo iptables -nL INPUT | grep 13777
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8777,13777
Comment 4 errata-xmlrpc 2016-02-18 16:52:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0264.html