Description of problem: What I see is that firewalld has been disabled, and iptables is being used, however the usaully reject at the end of the INPUT chain is missing. This means all port are being accepted. Notice you will not see any port 22 in the INPUT but I can ssh to the system. [root@ospha1 ~]# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) Active: inactive (dead) [root@ospha1 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination nova-api-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5672,35672,4369 /* 001 amqp incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443 /* 001 apache incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8776 /* 001 cinder incoming */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5404,5405 /* 001 corosync mcast */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 3306,9200,4567,4568,4444 /* 001 galera incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 9191,9292 /* 001 glance incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8000 /* 001 heat cfn incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8003 /* 001 heat cloudwatch incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8004 /* 001 heat incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5000,35357 /* 001 keystone incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 81 /* 001 load balancer incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 8774,8775,6080,6081 /* 001 nova incoming */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 2224 /* 001 pcsd */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 873 /* 010 rsync incoming */ Chain FORWARD (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-api-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-api-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-api-FORWARD (1 references) target prot opt source destination Chain nova-api-INPUT (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 10.19.139.31 tcp dpt:8775 Chain nova-api-OUTPUT (1 references) target prot opt source destination Chain nova-api-local (1 references) target prot opt source destination Chain nova-filter-top (2 references) target prot opt source destination nova-api-local all -- 0.0.0.0/0 0.0.0.0/0 [root@ospha1 ~]# Version-Release number of selected component (if applicable): [root@ospha-inst ~]# yum list installed | grep -e puppet -e foreman This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. foreman.noarch 1.6.0.21-1.el6sat @RHEL-6-Server-OS-Foreman foreman-installer.noarch 1:1.5.0-0.4.RC2.el6ost foreman-mysql2.noarch 1.6.0.21-1.el6sat @RHEL-6-Server-OS-Foreman foreman-proxy.noarch 1.6.0.8-1.el6sat @RHEL-6-Server-OS-Foreman foreman-selinux.noarch 1.6.0.3-1.el6sat @RHEL-6-Server-OS-Foreman openstack-foreman-installer.noarch 2.0.16-1.el6ost @RHEL-6-Server-OS-Foreman openstack-puppet-modules.noarch 2014.1-19.1.el6ost @RHEL-6-Server-OS-Foreman puppet.noarch 3.6.2-1.1.el6 @RHEL-6-Server-OS-Foreman puppet-server.noarch 3.6.2-1.1.el6 @RHEL-6-Server-OS-Foreman ruby193-rubygem-foreman_openstack_simplify.noarch rubygem-foreman_api.noarch 0.1.11-4.el6sat @RHEL-6-Server-OS-Foreman rubygem-hammer_cli_foreman.noarch 0.1.0-6.el6sat @RHEL-6-Server-OS-Foreman rubygem-hammer_cli_foreman-doc.noarch [root@ospha-inst ~]# How reproducible: Noticed on last couple of config and psoted mail. Seen with All-in-one HA, Nova Net Controller, Nova Net Compute Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Lars, any idea if something has changed in RHEL 7 setup here? We have made no changes to how we set up our firewall rules between Havana/Icehouse and RHEL 6/7. Do you think this is likely something we need to work around/add, or something missing from the firewall puppet module related to RHEL 7 + forewalld as the default?
We are never explicitly creating a default REJECT rule in the firewall. The puppet "firewall" module preserves the pre-existing firewall configuration. If I start with: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3609:260737] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT And then run packstack --allinone, I end up with: -P INPUT ACCEPT -A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT -A INPUT -j neutron-openvswi-INPUT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -j nova-api-INPUT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_172.16.0.18" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_172.16.0.18" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80 incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT -A INPUT -i lo -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb incoming localhost" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_172.16.0.18" -j ACCEPT -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 nagios incoming" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 5666 -m comment --comment "001 nagios-nrpe incoming nagios_nrpe" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 67 -m comment --comment "001 neutron dhcp in incoming neutron_dhcp_in_172.16.0.18_172.16.0.18" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 9696 -m comment --comment "001 neutron server incoming neutron_server_172.16.0.18_172.16.0.18" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 5900:5999 -m comment --comment "001 nova compute incoming nova_compute" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 qpid incoming qpid_172.16.0.18" -j ACCEPT -A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT -A INPUT -s 172.16.0.18/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_172.16.0.18" -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited But if I start with an empty firewall table, I don't automatically get a default REJECT rule.
Would it make sense to run "iptables-save > /etc/sysconfig/iptables" prior to disabling firewalld? That would in theory preserve the existing firewalld-generated configuration.
Here's the solution with iptables-save. The problem is that iptables rules created by firewalld are more complex than we need for this use case (some custom chains, often empty etc.), but if we disable firewalld we can no longer manage the complex rules via firewall-cmd. https://github.com/redhat-openstack/astapor/pull/328 Here's another solution which recreates the default rules using puppet: https://github.com/redhat-openstack/astapor/pull/329 I'm leaning a bit towards the latter, we'll see what others think.
This may be solved by eck's plan to change for kickstart to not include firewalld to begin with, so I think we should track the outcome of https://bugzilla.redhat.com/show_bug.cgi?id=1125075 and then decide how to proceed here.
Is this still a problem now that 1125075 is fixed?
Yes, still problem, jistr posted patch here: https://github.com/redhat-openstack/astapor/pull/329 which I just tested and merged.
Verified: FailedQA with rhel-osp-installer-0.1.10-2.el6ost.noarch Environment: rhel-osp-installer-0.1.10-2.el6ost.noarch openstack-foreman-installer-2.0.21-1.el6ost.noarch ruby193-rubygem-foreman_openstack_simplify-0.0.6-8.el6ost.noarch openstack-puppet-modules-2014.1-20.1.el6ost.noarch As you can see below - no reject rule and the default is ACCEPT. [root@staypuft yum.repos.d]# iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere multiport ports ssh /* 22 accept - ssh */ ACCEPT tcp -- anywhere anywhere multiport ports https /* 443 accept - apache */ ACCEPT tcp -- anywhere anywhere multiport ports domain /* 53 accept - dns tcp */ ACCEPT udp -- anywhere anywhere multiport ports domain /* 53 accept - dns udp */ ACCEPT udp -- anywhere anywhere multiport ports bootps /* 67 accept - dhcp */ ACCEPT udp -- anywhere anywhere multiport ports bootpc /* 68 accept - bootp */ ACCEPT udp -- anywhere anywhere multiport ports tftp /* 69 accept - tftp */ ACCEPT tcp -- anywhere anywhere multiport ports http /* 80 accept - apache */ ACCEPT tcp -- anywhere anywhere multiport ports 8140 /* 8140 accept - puppetmaster */ ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sunrpc ACCEPT udp -- anywhere anywhere state NEW udp dpt:sunrpc ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:32803 ACCEPT udp -- anywhere anywhere state NEW udp dpt:filenet-rpc ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:xinupageserver ACCEPT udp -- anywhere anywhere state NEW udp dpt:xinupageserver ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pftp ACCEPT udp -- anywhere anywhere state NEW udp dpt:pftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:892 ACCEPT udp -- anywhere anywhere state NEW udp dpt:892 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rquotad ACCEPT udp -- anywhere anywhere state NEW udp dpt:rquotad ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT udp -- anywhere anywhere state NEW udp dpt:nfs ACCEPT udp -- anywhere anywhere state NEW udp dpt:tftp ACCEPT udp -- anywhere anywhere state NEW udp dpt:8140 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8140
This bug is for the EL7 hosts we're deploying RHEL-OSP to, not the el6 host running Foreman.
Verified: rhel-osp-installer-0.1.10-2.el6ost.noarch On controller: [root@maca25400868097 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination nova-network-INPUT all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-INPUT all -- 0.0.0.0/0 0.0.0.0/0 nova-compute-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5900:5999 /* 001 nova compute incoming */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-network-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 nova-compute-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-network-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 nova-compute-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-api-metadat-FORWARD (1 references) target prot opt source destination Chain nova-api-metadat-INPUT (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 192.168.32.3 tcp dpt:8775 Chain nova-api-metadat-OUTPUT (1 references) target prot opt source destination Chain nova-api-metadat-local (1 references) target prot opt source destination Chain nova-compute-FORWARD (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 Chain nova-compute-INPUT (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 Chain nova-compute-OUTPUT (1 references) target prot opt source destination Chain nova-compute-local (1 references) target prot opt source destination Chain nova-compute-provider (0 references) target prot opt source destination Chain nova-compute-sg-fallback (0 references) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-filter-top (2 references) target prot opt source destination nova-network-local all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-local all -- 0.0.0.0/0 0.0.0.0/0 nova-compute-local all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-network-FORWARD (1 references) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-network-INPUT (1 references) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 Chain nova-network-OUTPUT (1 references) target prot opt source destination Chain nova-network-local (1 references) target prot opt source destination On compute: [root@maca25400868096 ~]# iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination nova-network-INPUT all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-INPUT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 5900:5999 /* 001 nova compute incoming */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-network-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-FORWARD all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination nova-filter-top all -- 0.0.0.0/0 0.0.0.0/0 nova-network-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-OUTPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-api-metadat-FORWARD (1 references) target prot opt source destination Chain nova-api-metadat-INPUT (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 192.168.100.254 tcp dpt:8775 Chain nova-api-metadat-OUTPUT (1 references) target prot opt source destination Chain nova-api-metadat-local (1 references) target prot opt source destination Chain nova-filter-top (2 references) target prot opt source destination nova-network-local all -- 0.0.0.0/0 0.0.0.0/0 nova-api-metadat-local all -- 0.0.0.0/0 0.0.0.0/0 Chain nova-network-FORWARD (1 references) target prot opt source destination Chain nova-network-INPUT (1 references) target prot opt source destination Chain nova-network-OUTPUT (1 references) target prot opt source destination Chain nova-network-local (1 references) target prot opt source destination
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1090.html
I finally installed, things looked reasonable to me