1073100 – Packstack does not open iptables for horizon/client access to Neutron API

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1073100 - Packstack does not open iptables for horizon/client access to Neutron API

Summary: Packstack does not open iptables for horizon/client access to Neutron API

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-packstack
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	RHOS Maint
QA Contact:	Ami Jeain
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-03-05 18:48 UTC by Lars Kellogg-Stedman
Modified:	2014-03-17 09:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-packstack-2013.2.1-0.34.dev989.el6
Clone Of:
Environment:
Last Closed:	2014-03-17 09:02:52 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1288447	0	None	None	None	Never

Description Lars Kellogg-Stedman 2014-03-05 18:48:27 UTC

I'm using packstack to install RDO Havana on a five-node cluster with the following members:

- 10.15.0.3 compute0
- 10.15.0.4 compute1
- 10.15.0.7 storage0
- 10.15.0.5 storage1
- 10.15.0.6 controller
- 10.15.0.2 network

The system "network" runs neutron-server and neutron-*-agent; the
system "controller" runs everything other than nova-compute, including
Horizon.

After packstack finishes, the iptables rules on "network" look like
this:

    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N neutron-filter-top
    -N neutron-openvswi-FORWARD
    -N neutron-openvswi-INPUT
    -N neutron-openvswi-OUTPUT
    -N neutron-openvswi-local
    -N neutron-openvswi-sg-chain
    -N neutron-openvswi-sg-fallback
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
    -A INPUT -j neutron-openvswi-INPUT 
    -A INPUT -s 10.15.0.2/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.2" -j ACCEPT 
    -A INPUT -s 10.15.0.3/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.3" -j ACCEPT 
    -A INPUT -s 10.15.0.4/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.4" -j ACCEPT 
    -A FORWARD -j neutron-filter-top 
    -A FORWARD -j neutron-openvswi-FORWARD 
    -A OUTPUT -j neutron-filter-top 
    -A OUTPUT -j neutron-openvswi-OUTPUT 
    -A neutron-filter-top -j neutron-openvswi-local 
    -A neutron-openvswi-sg-fallback -j DROP 

Note the three rules that permit access to the Neutron API on port
96969; there are rules for each of the compute nodes (.3 and .4) and
for the local itself (.2), but there is no access permitted from
"controller".

This is a problem because both Horizon and the client tools expect to
run from this host, and any proxy access by nova-api will *also* run
through this host.
 
Rules should permit access from at least:

- CONFIG_HORIZON_HOST
- CONFIG_OSCLIENT_HOST
- CONFIG_NOVA_API_HOST

Comment 1 Lars Kellogg-Stedman 2014-03-05 22:53:21 UTC

Patch submitted upstream.

Note You need to log in before you can comment on or make changes to this bug.