Description of problem: Missing 13000 port on firewall and iptables list Causing packets to be dropped for internal API messages root@bldr15cb10:~# cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT curl -O https://192.0.2.2:13000/v2.0 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (7) Failed connect to 192.0.2.2:13000; No route to host Version-Release number of selected component (if applicable): How reproducible: Always reproduced Steps to Reproduce: 1. 2. 3. Actual results: Dropped packets with ports different than 5000 Expected results: Additional info: WORKAROUND: sudo iptables -I INPUT -p tcp -m tcp --dport 13000 -j ACCEPT
port 13000 is keystone's public endpoint port when deploying the undercloud with ssl
Consolidating the missing ports: 13000, 13774, 13696, 13385, 13292, 13696, 13004, 13080, 13385 keystone endpoint-list /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning) /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning /usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning +----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+ | id | region | publicurl | internalurl | adminurl | service_id | +----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+ | 0e6dbff43c0f43b39c9ea606bb612e74 | regionOne | https://192.0.2.2:13292/ | http://192.0.2.1:9292/ | http://192.0.2.1:9292/ | 8f3d68c651e64abcacff939cc3e77245 | | 23a01b9d81e24e44b255f481d59617d4 | regionOne | http://192.0.2.2:8585/v2 | http://192.0.2.1:8585/v2 | http://192.0.2.1:8585/v2 | dfd27b8e912949c4b0946330883d55b8 | | 2bb46bd274fa41ef88e5e42af7d69432 | regionOne | http://192.0.2.2:8777/ | http://192.0.2.1:8777/ | http://192.0.2.1:8777/ | 4e228453b4bd41b2b9a8b6acf63e3197 | | 4555589b38504792b251d23ad08a6f55 | regionOne | https://192.0.2.2:13000/v2.0 | http://192.0.2.1:5000/v2.0 | http://192.0.2.1:35357/v2.0 | fa911f9b55284df789ce6edd3cbba2c2 | | a0797448a50e4317a667c1926a10100a | regionOne | https://192.0.2.2:13080/v1/AUTH_%(tenant_id)s | http://192.0.2.1:8080/v1/AUTH_%(tenant_id)s | http://192.0.2.1:8080/v1 | 96f2665eec6942908942d708728ce140 | | a684c541b0d84c468309f4ba05fc2295 | regionOne | https://192.0.2.2:13696/ | http://192.0.2.1:9696/ | http://192.0.2.1:9696/ | 43b0c0a9c63a4058a578b917b7a9c09a | | d830525addd346558a10cccf0b2d1e40 | regionOne | https://192.0.2.2:13004/v1/%(tenant_id)s | http://192.0.2.1:8004/v1/%(tenant_id)s | http://192.0.2.1:8004/v1/%(tenant_id)s | 734b8fd4d1404a4f885ebff96cb71b3a | | de3e8f33c9e045ca96b995982c1d2b56 | regionOne | https://192.0.2.2:13774/v3 | http://192.0.2.1:8774/v3 | http://192.0.2.1:8774/v3 | a8875b4558b44cdf97a3744a57592974 | | e87a1703f9134ee49f1ccf5267397953 | regionOne | https://192.0.2.2:13385/ | http://192.0.2.1:6385/ | http://192.0.2.1:6385/ | 5cdcaa87ec034c9e920f0745b2dedfa0 | | f3248a8f46ff4ed0bb93371ce3b8e1ee | regionOne | https://192.0.2.2:13774/v2/$(tenant_id)s | http://192.0.2.1:8774/v2/$(tenant_id)s | http://192.0.2.1:8774/v2/$(tenant_id)s | 203f0ab336cd4d8cbd2d7e3496085d07 | +----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+ The current iptables firewall rules: -A INPUT -j nova-api-INPUT -A INPUT -j neutron-openvswi-INPUT -A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8779 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8000,8003,8004 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 6385 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9191 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9292 -j ACCEPT -A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9696 -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8773,8774,8775 -j ACCEPT -A INPUT -p udp -m udp --dport 69 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8585 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j nova-filter-top -A FORWARD -j nova-api-FORWARD -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -d 192.168.122.0/24 -j ACCEPT -A FORWARD -d 192.0.2.0/24 -j ACCEPT -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-api-OUTPUT -A OUTPUT -j neutron-filter-top -A OUTPUT -j neutron-openvswi-OUTPUT -A discovery -j ACCEPT -A neutron-filter-top -j neutron-openvswi-local -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP -A nova-api-INPUT -d 192.0.2.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
*** Bug 1286769 has been marked as a duplicate of this bug. ***
WORKAROUND: iptables -I INPUT -p tcp -m multiport --dports 13000,13774,13696,13385,13292,13696,13004,13080,13385 -j ACCEPT
Verified on instack-undercloud-2.1.2-37.el7ost.noarch, undercloud in this build has added the missing ports to its iptables -A INPUT -i br-ctlplane -p udp -m udp --dport 67 -j discovery -A INPUT -j nova-api-INPUT -A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8779 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8080,13808 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8000,8003,8004,13800,13003,13004 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m multiport --dports 6385,13385 -j ACCEPT -A INPUT -p tcp -m tcp --dport 9191 -j ACCEPT -A INPUT -p tcp -m multiport --dports 9292,13292 -j ACCEPT -A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT -A INPUT -p tcp -m multiport --dports 6080,13080 -j ACCEPT -A INPUT -p tcp -m multiport --dports 9696,13696 -j ACCEPT -A INPUT -p tcp -m multiport --dports 5000,35357,13000,13357 -j ACCEPT -A INPUT -p tcp -m multiport --dports 8773,8774,8775,13773,13774,13775 -j ACCEPT -A INPUT -p udp -m udp --dport 69 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8585 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j nova-filter-top -A FORWARD -j nova-api-FORWARD -A FORWARD -d 192.168.122.0/24 -j ACCEPT -A FORWARD -d 192.0.2.0/24 -j ACCEPT -A OUTPUT -j nova-filter-top -A OUTPUT -j nova-api-OUTPUT -A discovery -j ACCEPT -A nova-api-INPUT -d 192.0.2.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0264.html