Bug 986371

Summary: TFTP blocked by firewall causing timeout during pxe provisioning process
Product: Red Hat OpenStack Reporter: Chris Lunsford <clunsfor>
Component: doc-Installation_and_Configuration_GuideAssignee: Scott Radvan <sradvan>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: high    
Version: 3.0CC: rlandman, sgordon, slong, yeylon
Target Milestone: z2Keywords: Documentation, Triaged, ZStream
Target Release: 4.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Build: CSProcessor Builder Version 1.11 Build Name: 19219, Deployment Guide (Foreman Technical Preview)-null-1 Build Date: 11-07-2013 11:55:35 Topic ID: 20080-472633 [Latest]
Last Closed: 2014-03-04 00:27:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1010310    

Description Chris Lunsford 2013-07-19 15:16:49 UTC 
Title: Configuring the Firewall

Describe the issue:
Firewall rule to allow tftp (UDP 69) is missing, preventing hosts from pxe booting during the provisioning process.

Suggestions for improvement:
Add an additional line to allow udp 69 to the list of firewall rules

Additional information:

After following the guide, the host was timing out during the PXE process.

On the foreman host, I manually ran:
iptables -I INPUT -p udp --dport 69 -j ACCEPT
service iptables save
service iptables restart

which added this line to /etc/sysconfig/iptables
-A INPUT -p udp -m udp --dport 69 -j ACCEPT

After doing this, the host retrieved the appropriate pxelinux file.
Comment 2 Chris Lunsford 2013-07-26 15:12:17 UTC 
I've hit a similar issue with DNS being blocked by firewall, which causes a failure during the kickstart configuration (host cannot resolve foreman's hostname to pull install.img).  I opened UDP 53 to resolve this using: 

iptables -I INPUT -p udp --dport 53 -j ACCEPT

I can open a separate bug for this, if preferred.
Comment 3 Stephen Gordon 2013-07-26 15:40:44 UTC 
(In reply to Chris Lunsford from comment #2)
> I've hit a similar issue with DNS being blocked by firewall, which causes a
> failure during the kickstart configuration (host cannot resolve foreman's
> hostname to pull install.img).  I opened UDP 53 to resolve this using: 
> 
> iptables -I INPUT -p udp --dport 53 -j ACCEPT
> 
> I can open a separate bug for this, if preferred.

I am happy to kill both under this bug, effectively what is required under this bug is a new/updated procedure for ensuring the Firewall configuration on the Foreman server is correct.
Comment 4 Summer Long 2014-01-06 04:59:21 UTC 
Foreman info is now contained in the Installation guide; moving there. Steve moved this to modified, so assume that this made it into the ICG's foreman section. Needs a check.
Comment 5 Summer Long 2014-01-20 23:06:35 UTC 
This bug is being assigned to Scott Radvan, who is now the designated docs specialist for Foreman.