Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1070460

Summary: IPTABLES rules not created during packstack install for distributed environment
Product: Red Hat OpenStack Reporter: Brett Thurber <bthurber>
Component: openstack-packstackAssignee: Ivan Chavero <ichavero>
Status: CLOSED ERRATA QA Contact: Attila Darazs <adarazs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0CC: acathrow, aortega, ddomingo, derekh, ichavero, mmagr, oblaut, rismith, sclewis, yeylon
Target Milestone: z4Keywords: ZStream
Target Release: 4.0Flags: ddomingo: needinfo-
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-packstack-2013.2.1-0.29.dev1009.el6ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-29 19:58:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 999695    
Bug Blocks:    

Description Brett Thurber 2014-02-26 22:10:02 UTC 
Description of problem:
Whn using packstack to install RHEL OSP for a distributed environment, an iptables rule for the node hosting neutron is missing allowing the controller node to communicate with the service.

Version-Release number of selected component (if applicable):
HAvana GA

How reproducible:
Every time

Steps to Reproduce:
1.  Configure 3 node distributed environment - 1 controller, 1 compute and 1 neutron/networking
2.  Run packstack install using an answer file
3.  Post install unable to communicate with the neutron/networking node from the controller node.
4.  Investigating, iptables rule missing on the neutron/netowkring node.  Rule should be:  -A INPUT -s ,controller_node_IP>/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming <controller_node_IP>" -j ACCEPT

Actual results:
Rule is not present preventing service access from the controller node.

Expected results:
Appropriate rules are created to allow controller to networking node communications.

Additional info:
N/A
Comment 2 Richard Smith 2014-02-27 19:49:31 UTC 
I have experienced this problem at a recent customer site, but it extends to the cinder service and glance services as well whenever cinder or glance are resident on a separate physical host from the controller.

Release:  Havana-GA

How Reproducible: Always

Steps to reproduce:
1) Configure a multi-node environment: 1 controller, 2 Nova, 1 Cinder, 1 Neutron
2) Run packstack --answer-file <file> to deploy on these separate servers
3) Use Horizon to login as admin user, attempt to view Volumes and connection times out.  Attempt to view Images, likewise.

The root cause turns out to be a missing IPTABLES rule on the Cinder host that would allow connection from the controller host, and for Neutron, a missing IPTABLES rule to allow access to the neutron endpoint from the controller.  

I have also bumped into this same issue whenever I place Glance services on a server by themselves, remote to the controller where Horizon resides.

Expected results: 
Access in Horizon GUI to the Images view or the Volumes view should appear even if empty, rather than the error "Something Went Wrong".
IPTABLES rules on Glance, Cinder, Neutron hosts should be populated with ACCEPT rules from the controller.

Additional Info:
N/A
Comment 8 Ivan Chavero 2014-03-25 19:51:58 UTC 
The patch for https://bugzilla.redhat.com/show_bug.cgi?id=999695 is on review, hopefully we'll have merged it today.
Comment 9 Ivan Chavero 2014-04-05 01:52:41 UTC 
patch to bug 999695 have been merged and packaged into openstack-packstack-2013.2.1-0.35.dev1009.el6
Comment 10 Attila Darazs 2014-05-23 13:40:02 UTC 
Setting verified as it was bumped back only because of a dependent bug not being fixed previously.
Comment 13 errata-xmlrpc 2014-05-29 19:58:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0577.html