1040610 – ceilometer-api constrains access to the host on which the service is running

Bug 1040610 - ceilometer-api constrains access to the host on which the service is running

Summary: ceilometer-api constrains access to the host on which the service is running

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-foreman-installer
Sub Component:
Version:	4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	4.0
Assignee:	Jiri Stransky
QA Contact:	Ami Jeain
Docs Contact:
URL:
Whiteboard:
Depends On:	1040404
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-11 17:02 UTC by Jiri Stransky
Modified:	2016-04-26 16:20 UTC (History)
CC List:	15 users (show)
Fixed In Version:	openstack-foreman-installer-1.0.0-1.el6ost
Doc Type:	Known Issue
Doc Text:	Currently, a missing firewall rule for ceilometer-api causes ceilometer-api to only be accessible locally on a controller, not from other machines. Workaround: Open port 8777 in the firewall on the controller node(s). This will make ceilometer-api accessible from other machines.
Clone Of:	1040404
Environment:
Last Closed:	2013-12-20 00:44:19 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2013:1859	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2013-12-21 00:01:48 UTC

Comment 1 Jiri Stransky 2013-12-11 18:01:30 UTC

Pull request upstream, not merged yet: https://github.com/redhat-openstack/astapor/pull/83

Comment 2 Jiri Stransky 2013-12-11 20:36:33 UTC

Cause: Missing firewall rule for ceilometer-api.

Consequence: Ceilometer-api is only accessible locally on a controller, not from other machines.

Workaround (if any): Open port 8777 in firewall on controller node(s).

Result: Ceilometer-api will become accessible from other machines.

Comment 3 Jason Guiditta 2013-12-11 21:05:59 UTC

merged upstream

Comment 4 Chandrasekar Kannan 2013-12-16 22:20:30 UTC

qa_ack provided - OtherQA bug.

Comment 6 Crag Wolfe 2013-12-18 23:35:28 UTC

Verfied that the controller node opens up port 8777 on a neutron controller node (same code applies to nova-network controller node).

Steps include assigning a host to the Controller (Neutron) Host Group in the Foreman UI, then running "puppet agent -t" from the host, then:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
nova-api-INPUT  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            multiport dports http,https,iscsi-target,mysql,commplex-main,35357,amqp,8773,8774,8775,8776,8777,armtechdaemon,6080 /* 001 controller incoming */
...

Comment 9 errata-xmlrpc 2013-12-20 00:44:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.