Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1073100

Summary: Packstack does not open iptables for horizon/client access to Neutron API
Product: [Community] RDO Reporter: Lars Kellogg-Stedman <lars>
Component: openstack-packstackAssignee: RHOS Maint <rhos-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aortega, derekh, mmagr, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2013.2.1-0.34.dev989.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-17 09:02:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lars Kellogg-Stedman 2014-03-05 18:48:27 UTC 
I'm using packstack to install RDO Havana on a five-node cluster with the following members:

- 10.15.0.3 compute0
- 10.15.0.4 compute1
- 10.15.0.7 storage0
- 10.15.0.5 storage1
- 10.15.0.6 controller
- 10.15.0.2 network

The system "network" runs neutron-server and neutron-*-agent; the
system "controller" runs everything other than nova-compute, including
Horizon.

After packstack finishes, the iptables rules on "network" look like
this:

    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N neutron-filter-top
    -N neutron-openvswi-FORWARD
    -N neutron-openvswi-INPUT
    -N neutron-openvswi-OUTPUT
    -N neutron-openvswi-local
    -N neutron-openvswi-sg-chain
    -N neutron-openvswi-sg-fallback
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
    -A INPUT -j neutron-openvswi-INPUT 
    -A INPUT -s 10.15.0.2/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.2" -j ACCEPT 
    -A INPUT -s 10.15.0.3/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.3" -j ACCEPT 
    -A INPUT -s 10.15.0.4/32 -p tcp -m multiport --dports 9696,67,68 -m comment --comment "001 neutron incoming 10.15.0.4" -j ACCEPT 
    -A FORWARD -j neutron-filter-top 
    -A FORWARD -j neutron-openvswi-FORWARD 
    -A OUTPUT -j neutron-filter-top 
    -A OUTPUT -j neutron-openvswi-OUTPUT 
    -A neutron-filter-top -j neutron-openvswi-local 
    -A neutron-openvswi-sg-fallback -j DROP 

Note the three rules that permit access to the Neutron API on port
96969; there are rules for each of the compute nodes (.3 and .4) and
for the local itself (.2), but there is no access permitted from
"controller".

This is a problem because both Horizon and the client tools expect to
run from this host, and any proxy access by nova-api will *also* run
through this host.
 
Rules should permit access from at least:

- CONFIG_HORIZON_HOST
- CONFIG_OSCLIENT_HOST
- CONFIG_NOVA_API_HOST
Comment 1 Lars Kellogg-Stedman 2014-03-05 22:53:21 UTC 
Patch submitted upstream.