Bug 1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup
Summary: Packstack doesn't set firewall so vxlan traffic can be received in multinode ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-packstack
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: z2
: 6.0 (Juno)
Assignee: Lukas Bezdicka
QA Contact: Eran Kuris
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-02-23 13:43 UTC by Richard W.M. Jones
Modified: 2023-02-22 23:02 UTC (History)
10 users (show)

Fixed In Version: openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost
Doc Type: Bug Fix
Doc Text:
When using Packstack in a multi-node configuration, VXLAN ports (4789) on the firewall were not open for the other nodes. As a result, openvswitch did not function properly. With this update, this issue has been addressed by opening the port 4789 on all compute and network nodes.
Clone Of:
Environment:
Last Closed: 2015-04-07 15:10:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 159414 0 None None None Never
Red Hat Product Errata RHSA-2015:0789 0 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules security and bug fix update 2015-04-07 19:08:02 UTC

Description Richard W.M. Jones 2015-02-23 13:43:40 UTC 
Description of problem:

When using packstack in a multi-node configuration, VXLAN
ports (4789) on the firewall are not opened up for the other
nodes.  As a result, openvswitch doesn't function.

I have a 3 node setup with IP addresses:
10.16.184.117 (control)
10.16.184.118 (compute)
10.16.184.119 (compute)

On the control node:

# iptables -S | grep 4789
-A INPUT -s 10.16.184.117/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.16.184.117_10.16.184.117" -j ACCEPT

but there should be rules for .118 and .119 as well.

The compute nodes have the same single rule, but that's
probably correct, provided the compute nodes don't have to
talk to each other.

I should note there are many similar bugs, but all closed, so
this might be a regression:
bug 1021778 bug 1100993 bug 1111640 bug 1174001

Also SELinux is disabled.

Version-Release number of selected component (if applicable):

openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch

How reproducible:

100%

Steps to Reproduce:
1. Run packstack in a multi-node configuration.

Additional info:

May be worked around by adding the rules manually:

iptables -I INPUT 3 -s 10.16.184.118/32 -p udp -m multiport --dports 4789 -j ACCEPT
iptables -I INPUT 4 -s 10.16.184.119/32 -p udp -m multiport --dports 4789 -j ACCEPT
Comment 7 Eran Kuris 2015-03-15 09:18:59 UTC 
The bug was verified and it does not reproduced in the flowing version:
# rpm -qa |grep openstack-packstack
openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost.noarch
openstack-packstack-puppet-2014.2-0.17.dev1462.gbb05296.el7ost.noarch

I created multi-node environment and verified that iptables configured as expected and VM's in each node can access and communicate as well .
1. # iptables -S | grep 4789
-A INPUT -s 10.35.160.39/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.39_10.35.160.39" -j ACCEPT
-A INPUT -s 10.35.160.41/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.39_10.35.160.41" -j ACCEPT

2.VM1 in node 10.35.160.39 can access to VM2 in node 10.35.160.41 and vice versa. 
All VM's can full access to all network devices / components (DHCP & Router)
Comment 10 errata-xmlrpc 2015-04-07 15:10:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html
Note You need to log in before you can comment on or make changes to this bug.