| Summary: | packstack doesn't open DHCP ports on host | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Ofer Blaut <oblaut> | ||||
| Component: | openstack-packstack | Assignee: | Ivan Chavero <ichavero> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Nir Magnezi <nmagnezi> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 3.0 | CC: | aberezin, aortega, derekh, ichavero, iwienand, kseifried, mmagr, oblaut, yeylon | ||||
| Target Milestone: | z4 | Keywords: | TestOnly, Unconfirmed, ZStream | ||||
| Target Release: | 4.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-packstack-2013.2.1-0.29.dev1009.el6ost | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-05-29 19:56:51 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1070460 | ||||||
| Attachments: |
|
||||||
Build info openstack-packstack-2013.1.1-0.30.dev672.el6ost.noarch openstack-quantum-2013.1.3-1.el6ost.noarch 1. This happens when namespace is not USED. 2. In order to operate L3 router , user need to configure router-id and restart l3 agent ( bz# 918057 ) So updated iptables will be [root@puma05 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination quantum-l3-agent-INPUT all -- anywhere anywhere quantum-linuxbri-INPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-l3-agent-FORWARD all -- anywhere anywhere quantum-linuxbri-FORWARD all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-l3-agent-OUTPUT all -- anywhere anywhere quantum-linuxbri-OUTPUT all -- anywhere anywhere Chain quantum-filter-top (2 references) target prot opt source destination quantum-l3-agent-local all -- anywhere anywhere quantum-linuxbri-local all -- anywhere anywhere Chain quantum-l3-agent-FORWARD (1 references) target prot opt source destination Chain quantum-l3-agent-INPUT (1 references) target prot opt source destination ACCEPT tcp -- anywhere localhost tcp dpt:9697 Chain quantum-l3-agent-OUTPUT (1 references) target prot opt source destination Chain quantum-l3-agent-local (1 references) target prot opt source destination Chain quantum-linuxbri-FORWARD (1 references) target prot opt source destination Chain quantum-linuxbri-INPUT (1 references) target prot opt source destination Chain quantum-linuxbri-OUTPUT (1 references) target prot opt source destination Chain quantum-linuxbri-local (1 references) target prot opt source destination Chain quantum-linuxbri-sg-chain (0 references) target prot opt source destination Chain quantum-linuxbri-sg-fallback (0 references) target prot opt source destination Issue does happen when using same configuration on linuxbridge with namespace enabled , attached iptables of host and namespace table [root@puma05 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination quantum-linuxbri-INPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-linuxbri-FORWARD all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-linuxbri-OUTPUT all -- anywhere anywhere Chain quantum-filter-top (2 references) target prot opt source destination quantum-linuxbri-local all -- anywhere anywhere Chain quantum-linuxbri-FORWARD (1 references) target prot opt source destination Chain quantum-linuxbri-INPUT (1 references) target prot opt source destination Chain quantum-linuxbri-OUTPUT (1 references) target prot opt source destination Chain quantum-linuxbri-local (1 references) target prot opt source destination Chain quantum-linuxbri-sg-chain (0 references) target prot opt source destination Chain quantum-linuxbri-sg-fallback (0 references) target prot opt source destination [root@puma05 ~]# [root@puma05 ~]# ip netns list qrouter-aa2e4abd-7452-4744-97d1-9b673d4e37b2 qdhcp-d76448e1-0a5e-4556-b1c5-a2609278e35a qdhcp-73231975-9759-4fd7-a84c-09ad2fdbbfeb [root@puma05 ~]# ip netns exec qdhcp-d76448e1-0a5e-4556-b1c5-a2609278e35a iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Martin to reach out to Terry on this today. Ian, could you please add the add the missing firewall entries? Ofer -- it's been some time since this bug was filed so can you please confirm the issue remains? I attempted to replicate but I'm not seeing vm's that don't get addresses. I certainly may have chosen incorrect options, etc, so can you please detail more specifically the commands you ran to setup. Thanks this was addressed in [1] [1] https://review.openstack.org/#/c/65858/ patch merged, waiting for package to be created Reverting status change. It hasn't actually made it to a build yet. Backport to havana on review patch merged and packaged in: openstack-packstack-2013.2.1-0.35.dev1009.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0577.html |
Created attachment 789000 [details] iptables rules and openstack status Description of problem: I have installed latest 20.8 puddle with linuxbridge ( we didn't test it in grizzly since OVS had higher priority) I'm using distributed quantum , currently DHCP discover requests are been dropped by iptables.( when iptables is off it works ) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.install distributed setup with packstack ( no name space ) 2.config basic network and run a VM , it will not get ip address 3.stop iptables on the host with DHCP and service network restart in the VM Actual results: Expected results: Additional info: