Bug 1215638 - Packstack adds neutron tunnels iptables rules to the wrong interface (VXLAN / GRE)
Summary: Packstack adds neutron tunnels iptables rules to the wrong interface (VXLAN /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules
Version: 6.0 (Juno)
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ga
: 7.0 (Kilo)
Assignee: Martin Magr
QA Contact: Roey Dekel
URL:
Whiteboard:
: 1188366 (view as bug list)
Depends On:
Blocks: 1230010 1230022
TreeView+ depends on / blocked
 
Reported: 2015-04-27 11:21 UTC by Roey Dekel
Modified: 2023-02-22 23:02 UTC (History)
8 users (show)

Fixed In Version: openstack-packstack-2015.1-0.3.dev1565.gd1211af.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1230010 (view as bug list)
Environment:
Last Closed: 2015-08-05 13:22:57 UTC
Target Upstream Version:
Embargoed:
pm-rhel: automate_bug+


Attachments (Terms of Use)
answer file used for packstack installation (29.71 KB, text/plain)
2015-04-27 11:21 UTC, Roey Dekel
no flags Details


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 189682 0 None None None Never
Red Hat Product Errata RHEA-2015:1548 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory 2015-08-05 17:07:06 UTC

Description Roey Dekel 2015-04-27 11:21:29 UTC
Created attachment 1019297 [details]
answer file used for packstack installation

Description of problem:
Packstack added wrong rules to iptables for neutron tunnel. The added rules were related to the network attached to CONFIG_NOVA_NETWORK_PUBIF and not to the network related to CONFIG_NEUTRON_OVS_TUNNEL_IF.

Version-Release number of selected component (if applicable):
openstack-neutron-2014.2.3-2.el7ost.noarch
openstack-packstack-2014.2-0.23.dev1468.gd049ea9.el7ost.noarch

How reproducible:

[root@controller ~(keystone_admin)]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:38:0d:0d brd ff:ff:ff:ff:ff:ff
    inet 10.35.187.57/23 brd 10.35.187.255 scope global dynamic eth0
       valid_lft 79754sec preferred_lft 79754sec
    inet6 fe80::f816:3eff:fe38:d0d/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:9a:f0:de brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f816:3eff:fe9a:f0de/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:f0:b7:49 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.19/24 brd 192.168.0.255 scope global dynamic eth2
       valid_lft 79754sec preferred_lft 79754sec
    inet6 fe80::f816:3eff:fef0:b749/64 scope link 
       valid_lft forever preferred_lft forever

[root@controller ~(keystone_admin)]# grep eth0 answer_file_current 
CONFIG_NOVA_NETWORK_PUBIF=eth0

[root@controller ~(keystone_admin)]# grep eth2 answer_file_current 
# linuxbridge plugin (eg. physnet1:eth1,physnet2:eth2,physnet3:eth3)
# openvswitch plugin (eg. physnet1:br-eth1,physnet2:br-eth2,physnet3
CONFIG_NEUTRON_OVS_TUNNEL_IF=eth2

[root@controller ~(keystone_admin)]# iptables -nL | grep neutron_tunnel
ACCEPT     udp  --  10.35.187.58         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.58 */
ACCEPT     udp  --  10.35.187.59         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.59 */
ACCEPT     udp  --  10.35.187.60         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.60 */
ACCEPT     udp  --  10.35.187.61         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.187.57_10.35.187.61 */

Steps to Reproduce:
1. Run packstack with attached answer-file
2. iptables -nL | grep neutron_tunnel

Actual results:
As described above - rules were added for wrong network, cause connection problems to VM's.

Expected results:
Rules added to tunnel related network.

Comment 10 Roey Dekel 2015-06-14 10:51:48 UTC
Verified on Kilo with:

Version-Release number of selected component:
---------------------------------------------
Puddle: 2015-06-12.1
openstack-packstack-2015.1-0.3.dev1565.gd1211af.el7ost.noarch

Steps to Reproduce as described at Description.

Results:
--------
As expected:

[root@controller ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:0a:8c:1f brd ff:ff:ff:ff:ff:ff
    inet 10.35.186.60/23 brd 10.35.187.255 scope global dynamic eth0
       valid_lft 79443sec preferred_lft 79443sec
    inet6 fe80::f816:3eff:fe0a:8c1f/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:09:5e:78 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f816:3eff:fe09:5e78/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether fa:16:3e:cf:cc:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.49/24 brd 192.168.0.255 scope global dynamic eth2
       valid_lft 79443sec preferred_lft 79443sec
    inet6 fe80::f816:3eff:fecf:cc1e/64 scope link 
       valid_lft forever preferred_lft forever

[root@controller ~]# iptables -nL | grep neutron_tunnel
ACCEPT     udp  --  192.168.0.50         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.61 */
ACCEPT     udp  --  192.168.0.51         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.62 */
ACCEPT     udp  --  192.168.0.52         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.63 */
ACCEPT     udp  --  192.168.0.53         0.0.0.0/0            multiport dports 4789 /* 001 neutron tunnel port incoming neutron_tunnel_10.35.186.60_10.35.186.64 */

Comments:
---------
Neutron tunnel udp ports were allowed on all hosts as expected.

Comment 11 Ivan Chavero 2015-06-18 19:31:58 UTC
*** Bug 1188366 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2015-08-05 13:22:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1548


Note You need to log in before you can comment on or make changes to this bug.