Bug 1397964

Summary: Controller nodes block GRE tunelling
Product: Red Hat OpenStack Reporter: Jakub Libosvar <jlibosva>
Component: puppet-tripleoAssignee: Brent Eagles <beagles>
Status: CLOSED ERRATA QA Contact: nlevinki <nlevinki>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 10.0 (Newton)CC: afazekas, amuller, beagles, dbecker, jjoyce, jschluet, jslagle, mburns, mcornea, mkrcmari, morazi, nyechiel, rhel-osp-director-maint, slinaber, tvignaud
Target Milestone: rcKeywords: AutomationBlocker, Regression, Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-tripleo-5.4.0-3.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 16:34:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Libosvar 2016-11-23 17:03:00 UTC
Description of problem:
controller nodes have following iptables rule for allowing gre tunneling for Neutron:
-A INPUT -p gre -m comment --comment "136 neutron gre networks" -m state --state NEW -j ACCEPT

But gre doesn't support conntrack which means this rule won't get matched and all GRE packets coming to controller nodes are rejected. Including DHCP discoveries, so impact is that instances never get IP.

The iptables rule shouldn't use -m state and allow all GRE packets.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.1.0-3.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy OSP 10 with director
2. Create GRE tenant network
3. Boot instance on GRE network

Actual results:
Instance won't get IP address because GRE packets on controllers are dropped

Expected results:


Additional info:

Comment 1 Brent Eagles 2016-11-24 20:43:08 UTC
Upstream patch against master has been submitted: https://review.openstack.org/#/c/401461/ 

It's passing CI and visual inspection of iptables file on CI nodes verifies proper GRE rule. Needs to be merged before backporting to newton upstream. I'll update the external tracker once the newton backport has been submitted.

Comment 3 Marian Krcmarik 2016-11-26 10:49:43 UTC
I took the patch, patched puppet-tripleo in overcloud-full image and redeployed overcloud and now It works for me correctly.

Comment 4 Brent Eagles 2016-11-28 13:44:48 UTC
Upstream patch https://review.openstack.org/402709 merged to newton upstream on Friday, Nov. 25.

Comment 8 errata-xmlrpc 2016-12-14 16:34:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html