1226376 – Neutron API port not allowed in firewall rules on undercloud

Bug 1226376 - Neutron API port not allowed in firewall rules on undercloud

Summary: Neutron API port not allowed in firewall rules on undercloud

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	instack-undercloud
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	y1
Target Release:	7.0 (Kilo)
Assignee:	James Slagle
QA Contact:	Marius Cornea
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-05-29 15:10 UTC by Marius Cornea
Modified:	2023-02-22 23:02 UTC (History)
CC List:	5 users (show)
Fixed In Version:	instack-undercloud-2.1.2-24.el7ost
Doc Type:	Bug Fix
Doc Text:	The director's iptables previously denied port 9696. This rejected all requests to the Neutron API except for those coming from localhost. This fix adds an iptables rule to accept TCP traffic for port 9696. Remote connections now have access to the Neutron API.
Clone Of:
Environment:
Last Closed:	2015-10-08 12:08:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
iptables output (3.74 KB, text/plain) 2015-05-29 15:10 UTC, Marius Cornea	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Gerrithub.io	243556	0	None	None	None	Never
Red Hat Product Errata	RHSA-2015:1862	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update	2015-10-08 16:05:50 UTC

Description Marius Cornea 2015-05-29 15:10:29 UTC

Created attachment 1032141 [details]
iptables output

Description of problem:
The Neutron API port (9696) is not allowed in firewall rules deployed on the undercloud node.


Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.4-2.el7ost.noarch
openstack-tripleo-image-elements-0.9.3-1.el7ost.noarch
openstack-tripleo-common-0.0.0.post4-1.el7ost.noarch
openstack-tripleo-puppet-elements-0.0.1.dev55-1.el7ost.noarch
openstack-tripleo-0.0.5-999.el7ost.noarch
instack-undercloud-2.1.0-3.el7ost.noarch
instack-0.0.6-5.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install undercloud
2. sudo iptables -nL
3.

Actual results:
None of the rules matche tcp port 9696

Expected results:
Connection to tcp port 9696 are allowed.

Additional info:
Output of iptables -nL attached.

Comment 5 Amit Ugol 2015-09-07 12:42:15 UTC

On latest version:
$  sudo iptables -nL | grep 9696
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9696

Comment 7 errata-xmlrpc 2015-10-08 12:08:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1862

Note You need to log in before you can comment on or make changes to this bug.