Bug 1093981
| Summary: | Floating ips are not being used in iptables | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Ofer Blaut <oblaut> | ||||
| Component: | openstack-neutron | Assignee: | Jakub Libosvar <jlibosva> | ||||
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Ofer Blaut <oblaut> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | chrisw, ihrachys, jlibosva, lpeer, oblaut, yeylon | ||||
| Target Milestone: | --- | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-12-15 13:45:16 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
issue is not reproduced with selinux disabled Works for me.
[root@localhost ~]# . keystonerc_demo
[root@localhost ~(keystone_demo)]# neutron port-create 65f48f03-9595-4667-a678-e33f8b662eab
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| device_id | |
| device_owner | |
| fixed_ips | {"subnet_id": "d6b0768b-32ce-4c41-8639-13483302a507", "ip_address": "10.0.0.2"} |
| id | 52f08b0b-29f3-4761-a8d6-5c8406b2b1ee |
| mac_address | fa:16:3e:14:73:1d |
| name | |
| network_id | 65f48f03-9595-4667-a678-e33f8b662eab |
| security_groups | c48d7ced-c250-476d-a0db-2db39dcf79fc |
| status | DOWN |
| tenant_id | 63001e7731c84842a666d57100636bd9 |
+-----------------------+---------------------------------------------------------------------------------+
[root@localhost ~(keystone_demo)]# neutron floatingip-create c37a7a4d-38a7-4a06-a093-004230a0cdbe
Created a new floatingip:
+---------------------+--------------------------------------+
| Field | Value |
+---------------------+--------------------------------------+
| fixed_ip_address | |
| floating_ip_address | 172.24.4.227 |
| floating_network_id | c37a7a4d-38a7-4a06-a093-004230a0cdbe |
| id | c43708ec-d6a0-4d26-8802-d4f0f8d04356 |
| port_id | |
| router_id | |
| status | ACTIVE |
| tenant_id | 63001e7731c84842a666d57100636bd9 |
+---------------------+--------------------------------------+
[root@localhost ~(keystone_demo)]# neutron floatingip-associate c43708ec-d6a0-4d26-8802-d4f0f8d04356 52f08b0b-29f3-4761-a8d6-5c8406b2b1ee
Associated floatingip c43708ec-d6a0-4d26-8802-d4f0f8d04356
[root@localhost ~(keystone_demo)]# ip netns exec qrouter-3c354bbc-7df8-472d-8f7c-a6c93a09a943 iptables -nL -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-PREROUTING all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
neutron-l3-agent-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0
neutron-postrouting-bottom all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-l3-agent-OUTPUT (1 references)
target prot opt source destination
DNAT all -- 0.0.0.0/0 172.24.4.227 to:10.0.0.2
Chain neutron-l3-agent-POSTROUTING (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ! ctstate DNAT
Chain neutron-l3-agent-PREROUTING (1 references)
target prot opt source destination
DNAT all -- 0.0.0.0/0 172.24.4.227 to:10.0.0.2
Chain neutron-l3-agent-float-snat (1 references)
target prot opt source destination
SNAT all -- 10.0.0.2 0.0.0.0/0 to:172.24.4.227
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 10.0.0.0/24 0.0.0.0/0 to:172.24.4.226
Chain neutron-postrouting-bottom (1 references)
target prot opt source destination
neutron-l3-agent-snat all -- 0.0.0.0/0 0.0.0.0/0
[root@localhost ~(keystone_demo)]# rpm -qa | egrep "(iptables|python-neutron)"
iptables-services-1.4.21-13.el7.x86_64
iptables-1.4.21-13.el7.x86_64
python-neutron-2014.1-11.el7.noarch
python-neutronclient-2.3.4-1.el7.noarch
[root@localhost ~(keystone_demo)]# getenforce
Enforcing
Ofer,
is it 100% reproducible?
Any chance this happened while other routers on network node were updated thus this was caused by a race?
Does you router interface contain the floating ip?
Can you see any AVC messages in /var/log/audit/audit.log?
No response for more than 7 months. I'm closing this bug for now. If the issue is reproducible, feel free to re-open. |
Created attachment 892251 [details] iptables Description of problem: floating ips are not working in RDO M3 with RHEL7. User can configure floating ips bug they don't appear in iptables nat table (attached logs ) Version-Release number of selected component (if applicable): iptables-services-1.4.21-13.el7.x86_64 iptables-1.4.21-13.el7.x86_64 openstack-neutron-2014.1-11.el7.noarch How reproducible: Steps to Reproduce: 1.configure setup with private and public network 2.set floating ip and enable security groups 3.try to access the VM 4. check ip netns exec qrouter-xxxxx iptables -nL -t nat , look for the floating ip in DNAT tables Actual results: Expected results: Additional info: