Bug 1191536 - Network traffic from overcloud to internet/outside is blocked by undercloud’s iptables filter
Summary: Network traffic from overcloud to internet/outside is blocked by undercloud’s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tuskar
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ga
: Director
Assignee: Jay Dobies
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-11 13:23 UTC by Marek Aufart
Modified: 2015-08-05 13:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-05 13:50:17 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Description Marek Aufart 2015-02-11 13:23:13 UTC
Description of problem:
Internet or outside networks are not accessible from overcloud machine.
Also ping to DNS defined in /etc/resolv.conf is not possible.

Version-Release number of selected component (if applicable):

How reproducible: Consistent

Steps to Reproduce: Follow https://mojo.redhat.com/docs/DOC-1010112, deploy overcloud, connect to some controller machine, try ping 8.8.8.8, yum install or ping outside

Actual results:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.0.2.1 icmp_seq=1 Destination Host Prohibited

Expected results:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=5.46 ms

Additional info:

Possible solution or workaround: on undercloud: sudo iptables -I FORWARD 5 -s 192.0.2.0/24 -j ACCEPT -m comment --comment forward_from_undercloud

Comment 4 chris alfonso 2015-06-15 19:24:00 UTC
Marek, Is this still an issue?

Comment 6 Marek Aufart 2015-06-17 12:41:57 UTC
Not an issue anymore. Tested with installation from docs at https://repos.fedorapeople.org/repos/openstack-m/docs/master/ and works fine.

Comment 7 Eran Kuris 2015-07-02 13:02:10 UTC
Verified on :
RHEL-OSP director puddle 7.0 RC puddle 2015-06-29-1
[stack@instack ~]$ rpm -qa |grep neutron 
openstack-neutron-common-2015.1.0-10.el7ost.noarch
python-neutronclient-2.4.0-1.el7ost.noarch
python-neutron-2015.1.0-10.el7ost.noarch
openstack-neutron-openvswitch-2015.1.0-10.el7ost.noarch
openstack-neutron-2015.1.0-10.el7ost.noarch
openstack-neutron-ml2-2015.1.0-10.el7ost.noarch
[stack@instack ~]$ rpm -qa |grep tuskar
python-tuskarclient-0.1.18-3.el7ost.noarch
openstack-tuskar-0.4.18-3.el7ost.noarch
openstack-tuskar-ui-extras-0.0.4-1.el7ost.noarch
openstack-tuskar-ui-0.3.0-6.el7ost.noarch



Original contents retained as /home/stack/.ssh/known_hosts.old
PKI initialization in init-keystone is deprecated and will be removed.
Warning: Permanently added '10.0.0.4' (ECDSA) to the list of known hosts.
The following cert files already exist, use --rebuild to remove the existing files before regenerating:
/etc/keystone/ssl/certs/ca.pem already exists
/etc/keystone/ssl/private/signing_key.pem already exists
/etc/keystone/ssl/certs/signing_cert.pem already exists
Connection to 10.0.0.4 closed.
Overcloud Endpoint: http://10.0.0.4:5000/v2.0/
Overcloud Deployed
[stack@instack ~]$ nova list 
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
| ID                                   | Name                   | Status | Task State | Power State | Networks            |
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
| 1ea1d8f6-f3f2-4e53-b0d6-5d7be143f679 | overcloud-compute-0    | ACTIVE | -          | Running     | ctlplane=192.0.2.16 |
| 29ce3b37-412c-4e21-a9b2-ff6e2370a459 | overcloud-controller-0 | ACTIVE | -          | Running     | ctlplane=192.0.2.17 |
+--------------------------------------+------------------------+--------+------------+-------------+---------------------+
[stack@instack ~]$ ssh heat-admin@192.0.2.17
The authenticity of host '192.0.2.17 (192.0.2.17)' can't be established.
ECDSA key fingerprint is 7e:f2:40:23:5b:85:ef:cf:b4:25:c7:bd:14:eb:cb:60.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.0.2.17' (ECDSA) to the list of known hosts.
Last login: Thu Jul  2 08:28:55 2015 from 10.0.0.251
[heat-admin@overcloud-controller-0 ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=89.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=91.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=48 time=89.0 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 89.044/90.025/91.182/0.947 ms
[heat-admin@overcloud-controller-0 ~]$ exit
logout
Connection to 192.0.2.17 closed.
[stack@instack ~]$ ssh heat-admin@192.0.2.16
The authenticity of host '192.0.2.16 (192.0.2.16)' can't be established.
ECDSA key fingerprint is f1:07:70:9f:e7:c5:d6:a2:3f:f1:e2:5d:15:2f:c8:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.0.2.16' (ECDSA) to the list of known hosts.
[heat-admin@overcloud-compute-0 ~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=88.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=48 time=89.1 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms

Comment 9 errata-xmlrpc 2015-08-05 13:50:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549


Note You need to log in before you can comment on or make changes to this bug.