Hide Forgot
Description of problem: Packstack installs iptables rules for several API services with the source address set to "anywhere" (i.e. nova-api, horizon, ceilometer-api, swift-proxy). These rules appear to allow those services to be callable from anywhere. But in order for clients to actually interact with any of those services, they would have to go to keystone first to get a token. And therein lies the problem ... the iptables rule installed for keystone is source-constrained to just the allinone host (or to the compute nodes, if additional nodes are added, IIUC). Hence the firewall rules for the API services are confusingly "half open". They appear to allow those service be invoked from outside the controller host, as the service ports are open to traffic originating from anywhere. But since the keystone port is not open to the same extent, in practical terms the iptables rules for the API services do not have the effect intended/implied. So external clients can only invoke on the API services if they already have a cached token, but not otherwise, and the failure mode isn't obvious to someone new to openstack. Version-Release number of selected component (if applicable): openstack-packstack-2013.2.1-0.18.dev934.el6ost How reproducible: 100% Steps to Reproduce: 1. Install packstack --allinone in the usual way 2. Install the CLI for any on the services mentioned above (nova, ceilometer, swift) onto another host 3. Source the keystonerc_admin generated by packstack on the second host 4. Attempt a basic CLI command: $ nova --debug flavor-list $ ceilometer --debug meter-list ... etc Actual results: The CLI invocation on the "open" service fails, e.g: $ nova flavor-list ERROR: [Errno 113] No route to host $ ceilometer meter-list Authorization Failed: Unable to establish connection to http://192.168.122.130:35357/v2.0/tokens Expected results: The CLI invocation on the "open" service should succeed. Additional info: N/A
Francesco has been working on it. It seems that he hit some sort of issue with the firewall Puppet module.
Verified NVR: openstack-packstack-2013.2.1-0.22.dev956.el6ost.noarch Tested as follows (Followed Comment #0): 1. Installed openstack via packstack on a single node. 2. Used additional node and installed the following packages: python-cinderclient python-neutronclient python-keystoneclient python-glanceclient python-swiftclient python-novaclient python-ceilometerclient python-heatclient In addition, Created a keystonerc file to source. 3. The following commands were tested OK: nova list ceilometer meter-list cinder list glance image-list neutron net-list keystone endpoint-list heat list Commands Used in Comment #0 nova --debug flavor-list ceilometer --debug meter-list
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-0046.html