Bug 1550976

Summary: newer versions of docker switch FORWARD chain to DROP by default [openstack-12]
Product: Red Hat OpenStack Reporter: Mike Burns <mburns>
Component: instack-undercloudAssignee: James Slagle <jslagle>
Status: CLOSED ERRATA QA Contact: Gurenko Alex <agurenko>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: achernet, agurenko, apevec, aschultz, chjones, emacchi, gfidente, johfulto, jschluet, jslagle, mburns, mcornea, michele, michele, ohochman, psedlak, rhel-osp-director-maint, rscarazz, samccann, sasha, slinaber, tbarron, tonyb, tvignaud, yprokule
Target Milestone: z2Keywords: AutomationBlocker, Triaged, ZStream
Target Release: 12.0 (Pike)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-7.4.9-2.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1543580 Environment:
Last Closed: 2018-03-28 17:32:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1543580, 1553848, 1553849    
Bug Blocks:    

Comment 5 Alexander Chuzhoy 2018-03-08 15:18:52 UTC 
FailedQA:
Environment:
instack-undercloud-7.4.9-2.el7ost.noarch

[stack@undercloud-0 ~]$ sudo iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.24.0/24      state NEW /* 140 destination network cidr nat ipv4 */
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             192.168.24.0/24      /* 140 network cidr nat ipv4 */ state NEW
ACCEPT     all  --  192.168.24.0/24      anywhere             state NEW /* 140 source network cidr nat ipv4 */
ACCEPT     tcp  --  anywhere             192.168.122.0/24     /* 141 libvirt network nat ipv4 */ state NEW
Comment 6 Michele Baldessari 2018-03-08 15:48:35 UTC 
(In reply to Alexander Chuzhoy from comment #5)
> FailedQA:
> Environment:
> instack-undercloud-7.4.9-2.el7ost.noarch
> 
> [stack@undercloud-0 ~]$ sudo iptables -L FORWARD
> Chain FORWARD (policy DROP)
...
> ACCEPT     all  --  anywhere             192.168.24.0/24      state NEW /*
> 140 destination network cidr nat ipv4 */
...
> ACCEPT     all  --  192.168.24.0/24      anywhere             state NEW /*
> 140 source network cidr nat ipv4 */

Those rules + the RELATED,ESTABLISHED rule should allow traffic from and to the ctlplane and so we should be good no?
Comment 7 Alexander Chuzhoy 2018-03-08 18:24:07 UTC 
Apparently not enough:

I'd suggest adding at least:

iptables -I FORWARD -p icmp -s 192.168.24.0/24 -j ACCEPT
iptables -I FORWARD -p icmp -d 192.168.24.0/24 -j ACCEPT
iptables -I FORWARD -p udp -s 192.168.24.0/24 -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.24.0/24 -j ACCEPT
Comment 10 Alex Schultz 2018-03-09 17:04:51 UTC 
(In reply to Alexander Chuzhoy from comment #5)
> FailedQA:
> Environment:
> instack-undercloud-7.4.9-2.el7ost.noarch
> 
> [stack@undercloud-0 ~]$ sudo iptables -L FORWARD
> Chain FORWARD (policy DROP)
> target     prot opt source               destination         
> neutron-filter-top  all  --  anywhere             anywhere            
> neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             192.168.24.0/24      state NEW /*
> 140 destination network cidr nat ipv4 */
> DOCKER-ISOLATION  all  --  anywhere             anywhere            
> DOCKER     all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere             ctstate
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     tcp  --  anywhere             192.168.24.0/24      /* 140 network
> cidr nat ipv4 */ state NEW

This indicates it wasn't a clean install. This won't exist if you only use the new package. 

> ACCEPT     all  --  192.168.24.0/24      anywhere             state NEW /*
> 140 source network cidr nat ipv4 */
> ACCEPT     tcp  --  anywhere             192.168.122.0/24     /* 141 libvirt
> network nat ipv4 */ state NEW


Please recheck with a fresh install.  Updates should not be affected because ip_forward should already be set to 1 which will prevent docker from switch the forward rule to DROP.
Comment 12 Gurenko Alex 2018-03-14 10:38:32 UTC 
Fresh deployment of puddle 2018-03-10.1 have a correct setting.

(undercloud) [stack@undercloud-0 ~]$ sudo iptables -S | grep FORW
-P FORWARD ACCEPT
-N neutron-openvswi-FORWARD
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -d 192.168.24.0/24 -m state --state NEW -m comment --comment "140 destination network cidr nat ipv4" -j ACCEPT
-A FORWARD -s 192.168.24.0/24 -m state --state NEW -m comment --comment "140 source network cidr nat ipv4" -j ACCEPT
Comment 17 errata-xmlrpc 2018-03-28 17:32:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0607