Bug 1349479

Summary: Packstack fails to configure correct IPTABLE rules
Product: [Community] RDO Reporter: GenadiC <gcheresh>
Component: openstack-packstackAssignee: Ivan Chavero <ichavero>
Status: CLOSED INSUFFICIENT_DATA QA Contact: nlevinki <nlevinki>
Severity: high Docs Contact:
Priority: unspecified    
Version: MitakaCC: aortega, apevec, derekh, gcheresh, oblaut, srevivo
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-28 22:03:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description GenadiC 2016-06-23 14:03:14 UTC 
Description of problem:
When installing version 9 with packstack with one compute and one controller on 2 different machines, we get timeout error on compute node for RabbitMQ.
Changing IPTABLES rules on controller (iptables -P INPUT ACCEPT) makes it work

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use packstack for installation (controller on one phy machine and computer on another one)
2. Run iptables -S on controller
3. Check for error messages on compute node

Actual results:
Checking on computer node you get ERROR oslo.messaging._drivers.impl_rabbit [req-e1beb31c-9d6a-4dc2-9be4-4022f2c0e6d6 - - - - -] AMQP server on 10.35.160.29:5672 is unreachable: timed out.

Expected results:
The comunication between controller and compute should work

Additional info:

On controller the following IPTables caused the problem
iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "001 QA incoming SSH" -j ACCEPT
-A INPUT -p icmp -m comment --comment "002 QA incoming ICMP" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "003 QA incoming related session exist the host" -j ACCEPT
-A INPUT -i lo -m comment --comment "004 QA incoming loopback" -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m comment --comment "005 QA incoming DNS" -j ACCEPT
-A INPUT -p udp -m udp --sport 123 -m comment --comment "006 QA incoming NTP" -j ACCEPT


The problem was solved only when we run: iptables -P INPUT ACCEPT
Comment 3 Alan Pevec 2016-06-28 22:03:55 UTC 
Those firewall rules do not look like Packstack generated,
but amqp ports are added in the packstack manifest:

https://github.com/openstack/packstack/blob/stable/mitaka/packstack/plugins/amqp_002.py#L199-L212

You could provide packstack answer file for further inspection, for now I'm closing it as not reproducible.