Bug 1550976
Summary: | newer versions of docker switch FORWARD chain to DROP by default [openstack-12] | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Mike Burns <mburns> |
Component: | instack-undercloud | Assignee: | James Slagle <jslagle> |
Status: | CLOSED ERRATA | QA Contact: | Gurenko Alex <agurenko> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 12.0 (Pike) | CC: | achernet, agurenko, apevec, aschultz, chjones, emacchi, gfidente, johfulto, jschluet, jslagle, mburns, mcornea, michele, michele, ohochman, psedlak, rhel-osp-director-maint, rscarazz, samccann, sasha, slinaber, tbarron, tonyb, tvignaud, yprokule |
Target Milestone: | z2 | Keywords: | AutomationBlocker, Triaged, ZStream |
Target Release: | 12.0 (Pike) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | instack-undercloud-7.4.9-2.el7ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | 1543580 | Environment: | |
Last Closed: | 2018-03-28 17:32:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1543580, 1553848, 1553849 | ||
Bug Blocks: |
Comment 5
Alexander Chuzhoy
2018-03-08 15:18:52 UTC
(In reply to Alexander Chuzhoy from comment #5) > FailedQA: > Environment: > instack-undercloud-7.4.9-2.el7ost.noarch > > [stack@undercloud-0 ~]$ sudo iptables -L FORWARD > Chain FORWARD (policy DROP) ... > ACCEPT all -- anywhere 192.168.24.0/24 state NEW /* > 140 destination network cidr nat ipv4 */ ... > ACCEPT all -- 192.168.24.0/24 anywhere state NEW /* > 140 source network cidr nat ipv4 */ Those rules + the RELATED,ESTABLISHED rule should allow traffic from and to the ctlplane and so we should be good no? Apparently not enough: I'd suggest adding at least: iptables -I FORWARD -p icmp -s 192.168.24.0/24 -j ACCEPT iptables -I FORWARD -p icmp -d 192.168.24.0/24 -j ACCEPT iptables -I FORWARD -p udp -s 192.168.24.0/24 -j ACCEPT iptables -I FORWARD -p udp -d 192.168.24.0/24 -j ACCEPT (In reply to Alexander Chuzhoy from comment #5) > FailedQA: > Environment: > instack-undercloud-7.4.9-2.el7ost.noarch > > [stack@undercloud-0 ~]$ sudo iptables -L FORWARD > Chain FORWARD (policy DROP) > target prot opt source destination > neutron-filter-top all -- anywhere anywhere > neutron-openvswi-FORWARD all -- anywhere anywhere > ACCEPT all -- anywhere 192.168.24.0/24 state NEW /* > 140 destination network cidr nat ipv4 */ > DOCKER-ISOLATION all -- anywhere anywhere > DOCKER all -- anywhere anywhere > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT tcp -- anywhere 192.168.24.0/24 /* 140 network > cidr nat ipv4 */ state NEW This indicates it wasn't a clean install. This won't exist if you only use the new package. > ACCEPT all -- 192.168.24.0/24 anywhere state NEW /* > 140 source network cidr nat ipv4 */ > ACCEPT tcp -- anywhere 192.168.122.0/24 /* 141 libvirt > network nat ipv4 */ state NEW Please recheck with a fresh install. Updates should not be affected because ip_forward should already be set to 1 which will prevent docker from switch the forward rule to DROP. Fresh deployment of puddle 2018-03-10.1 have a correct setting. (undercloud) [stack@undercloud-0 ~]$ sudo iptables -S | grep FORW -P FORWARD ACCEPT -N neutron-openvswi-FORWARD -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -d 192.168.24.0/24 -m state --state NEW -m comment --comment "140 destination network cidr nat ipv4" -j ACCEPT -A FORWARD -s 192.168.24.0/24 -m state --state NEW -m comment --comment "140 source network cidr nat ipv4" -j ACCEPT Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0607 |