Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1195258 - Packstack doesn't set firewall so vxlan traffic can be received in multinode setup
Packstack doesn't set firewall so vxlan traffic can be received in multinode ...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-packstack (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity unspecified
: z2
: 6.0 (Juno)
Assigned To: Lukas Bezdicka
Eran Kuris
: Regression, ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-23 08:43 EST by Richard W.M. Jones
Modified: 2015-04-07 11:10 EDT (History)
11 users (show)

See Also:
Fixed In Version: openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost
Doc Type: Bug Fix
Doc Text:
When using Packstack in a multi-node configuration, VXLAN ports (4789) on the firewall were not open for the other nodes. As a result, openvswitch did not function properly. With this update, this issue has been addressed by opening the port 4789 on all compute and network nodes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-07 11:10:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 159414 None None None Never
Red Hat Product Errata RHSA-2015:0789 normal SHIPPED_LIVE Important: openstack-packstack and openstack-puppet-modules security and bug fix update 2015-04-07 15:08:02 EDT

  None (edit)
Description Richard W.M. Jones 2015-02-23 08:43:40 EST 
Description of problem:

When using packstack in a multi-node configuration, VXLAN
ports (4789) on the firewall are not opened up for the other
nodes.  As a result, openvswitch doesn't function.

I have a 3 node setup with IP addresses:
10.16.184.117 (control)
10.16.184.118 (compute)
10.16.184.119 (compute)

On the control node:

# iptables -S | grep 4789
-A INPUT -s 10.16.184.117/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.16.184.117_10.16.184.117" -j ACCEPT

but there should be rules for .118 and .119 as well.

The compute nodes have the same single rule, but that's
probably correct, provided the compute nodes don't have to
talk to each other.

I should note there are many similar bugs, but all closed, so
this might be a regression:
bug 1021778 bug 1100993 bug 1111640 bug 1174001

Also SELinux is disabled.

Version-Release number of selected component (if applicable):

openstack-packstack-2014.2-0.15.dev1401.gdd19d48.aa7a.noarch

How reproducible:

100%

Steps to Reproduce:
1. Run packstack in a multi-node configuration.

Additional info:

May be worked around by adding the rules manually:

iptables -I INPUT 3 -s 10.16.184.118/32 -p udp -m multiport --dports 4789 -j ACCEPT
iptables -I INPUT 4 -s 10.16.184.119/32 -p udp -m multiport --dports 4789 -j ACCEPT
Comment 7 Eran Kuris 2015-03-15 05:18:59 EDT 
The bug was verified and it does not reproduced in the flowing version:
# rpm -qa |grep openstack-packstack
openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost.noarch
openstack-packstack-puppet-2014.2-0.17.dev1462.gbb05296.el7ost.noarch

I created multi-node environment and verified that iptables configured as expected and VM's in each node can access and communicate as well .
1. # iptables -S | grep 4789
-A INPUT -s 10.35.160.39/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.39_10.35.160.39" -j ACCEPT
-A INPUT -s 10.35.160.41/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.39_10.35.160.41" -j ACCEPT

2.VM1 in node 10.35.160.39 can access to VM2 in node 10.35.160.41 and vice versa. 
All VM's can full access to all network devices / components (DHCP & Router)
Comment 10 errata-xmlrpc 2015-04-07 11:10:32 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0789.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.