Bug 1286756 - multiple ports not allowed in undercloud firewall
Summary: multiple ports not allowed in undercloud firewall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: y3
: 7.0 (Kilo)
Assignee: James Slagle
QA Contact: yeylon@redhat.com
URL:
Whiteboard:
: 1286769 (view as bug list)
Depends On:
Blocks: 1286769 1286773 1299079
TreeView+ depends on / blocked
 
Reported: 2015-11-30 16:32 UTC by Ronnie Rasouli
Modified: 2016-04-18 07:14 UTC (History)
11 users (show)

Fixed In Version: instack-undercloud-2.1.2-37.el7ost
Doc Type: Bug Fix
Doc Text:
This firewall configuration for the Undercloud lacked certain ports, which resulted in dropped packets for Internal API messages. This fix adds the missing ports (13000, 13774, 13696, 13385, 13292, 13696, 13004, 13080, 13385) to the Undercloud's firewall rules. The Internal API now accepts messages on these ports.
Clone Of:
: 1286769 1286773 1299079 (view as bug list)
Environment:
Last Closed: 2016-02-18 16:47:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0264 normal SHIPPED_LIVE Red Hat Enterprise Linux OSP 7 director Bug Fix Advisory 2016-02-18 21:41:29 UTC

Description Ronnie Rasouli 2015-11-30 16:32:21 UTC
Description of problem:
Missing 13000 port on firewall and iptables list
Causing packets to be dropped for internal API messages 

root@bldr15cb10:~#  cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

curl -O https://192.0.2.2:13000/v2.0
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (7) Failed connect to 192.0.2.2:13000; No route to host

Version-Release number of selected component (if applicable):


How reproducible:
Always reproduced

Steps to Reproduce:
1.
2.
3.

Actual results:

Dropped packets with ports different than 5000

Expected results:


Additional info:

WORKAROUND: sudo iptables -I INPUT -p tcp -m tcp --dport 13000 -j ACCEPT

Comment 2 Ronnie Rasouli 2015-11-30 16:54:17 UTC
port 13000 is keystone's public endpoint port when deploying the undercloud with ssl

Comment 3 Ronnie Rasouli 2015-11-30 17:27:50 UTC
Consolidating the missing ports:

    13000, 13774, 13696, 13385, 13292, 13696, 13004, 13080, 13385
keystone endpoint-list
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
+----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+
|                id                |   region  |                   publicurl                   |                 internalurl                 |                adminurl                |            service_id            |
+----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+
| 0e6dbff43c0f43b39c9ea606bb612e74 | regionOne |            https://192.0.2.2:13292/           |            http://192.0.2.1:9292/           |         http://192.0.2.1:9292/         | 8f3d68c651e64abcacff939cc3e77245 |
| 23a01b9d81e24e44b255f481d59617d4 | regionOne |            http://192.0.2.2:8585/v2           |           http://192.0.2.1:8585/v2          |        http://192.0.2.1:8585/v2        | dfd27b8e912949c4b0946330883d55b8 |
| 2bb46bd274fa41ef88e5e42af7d69432 | regionOne |             http://192.0.2.2:8777/            |            http://192.0.2.1:8777/           |         http://192.0.2.1:8777/         | 4e228453b4bd41b2b9a8b6acf63e3197 |
| 4555589b38504792b251d23ad08a6f55 | regionOne |          https://192.0.2.2:13000/v2.0         |          http://192.0.2.1:5000/v2.0         |      http://192.0.2.1:35357/v2.0       | fa911f9b55284df789ce6edd3cbba2c2 |
| a0797448a50e4317a667c1926a10100a | regionOne | https://192.0.2.2:13080/v1/AUTH_%(tenant_id)s | http://192.0.2.1:8080/v1/AUTH_%(tenant_id)s |        http://192.0.2.1:8080/v1        | 96f2665eec6942908942d708728ce140 |
| a684c541b0d84c468309f4ba05fc2295 | regionOne |            https://192.0.2.2:13696/           |            http://192.0.2.1:9696/           |         http://192.0.2.1:9696/         | 43b0c0a9c63a4058a578b917b7a9c09a |
| d830525addd346558a10cccf0b2d1e40 | regionOne |    https://192.0.2.2:13004/v1/%(tenant_id)s   |    http://192.0.2.1:8004/v1/%(tenant_id)s   | http://192.0.2.1:8004/v1/%(tenant_id)s | 734b8fd4d1404a4f885ebff96cb71b3a |
| de3e8f33c9e045ca96b995982c1d2b56 | regionOne |           https://192.0.2.2:13774/v3          |           http://192.0.2.1:8774/v3          |        http://192.0.2.1:8774/v3        | a8875b4558b44cdf97a3744a57592974 |
| e87a1703f9134ee49f1ccf5267397953 | regionOne |            https://192.0.2.2:13385/           |            http://192.0.2.1:6385/           |         http://192.0.2.1:6385/         | 5cdcaa87ec034c9e920f0745b2dedfa0 |
| f3248a8f46ff4ed0bb93371ce3b8e1ee | regionOne |    https://192.0.2.2:13774/v2/$(tenant_id)s   |    http://192.0.2.1:8774/v2/$(tenant_id)s   | http://192.0.2.1:8774/v2/$(tenant_id)s | 203f0ab336cd4d8cbd2d7e3496085d07 |
+----------------------------------+-----------+-----------------------------------------------+---------------------------------------------+----------------------------------------+----------------------------------+

The current iptables firewall rules:

    -A INPUT -j nova-api-INPUT
    -A INPUT -j neutron-openvswi-INPUT
    -A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8000,8003,8004 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 6385 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9191 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9292 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 6080 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9696 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 8773,8774,8775 -j ACCEPT
    -A INPUT -p udp -m udp --dport 69 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8585 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j nova-filter-top
    -A FORWARD -j nova-api-FORWARD
    -A FORWARD -j neutron-filter-top
    -A FORWARD -j neutron-openvswi-FORWARD
    -A FORWARD -d 192.168.122.0/24 -j ACCEPT
    -A FORWARD -d 192.0.2.0/24 -j ACCEPT
    -A OUTPUT -j nova-filter-top
    -A OUTPUT -j nova-api-OUTPUT
    -A OUTPUT -j neutron-filter-top
    -A OUTPUT -j neutron-openvswi-OUTPUT
    -A discovery -j ACCEPT
    -A neutron-filter-top -j neutron-openvswi-local
    -A neutron-openvswi-sg-fallback -m comment --comment "Default drop rule for unmatched traffic." -j DROP
    -A nova-api-INPUT -d 192.0.2.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT

Comment 4 Ronnie Rasouli 2015-11-30 17:29:40 UTC
*** Bug 1286769 has been marked as a duplicate of this bug. ***

Comment 5 Ronnie Rasouli 2015-12-01 08:29:09 UTC
WORKAROUND:
iptables -I INPUT -p tcp -m multiport --dports 13000,13774,13696,13385,13292,13696,13004,13080,13385 -j ACCEPT

Comment 7 Ronnie Rasouli 2016-01-17 09:37:39 UTC
Verified on instack-undercloud-2.1.2-37.el7ost.noarch, undercloud in this build has added the missing ports to its iptables 

-A INPUT -i br-ctlplane -p udp -m udp --dport 67 -j discovery
-A INPUT -j nova-api-INPUT
-A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8779 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8080,13808 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8000,8003,8004,13800,13003,13004 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5672 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6385,13385 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9191 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9292,13292 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 6080,13080 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 9696,13696 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357,13000,13357 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8773,8774,8775,13773,13774,13775 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8088 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8585 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A FORWARD -d 192.168.122.0/24 -j ACCEPT
-A FORWARD -d 192.0.2.0/24 -j ACCEPT
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A discovery -j ACCEPT
-A nova-api-INPUT -d 192.0.2.1/32 -p tcp -m tcp --dport 8775 -j ACCEPT

Comment 9 errata-xmlrpc 2016-02-18 16:47:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0264.html


Note You need to log in before you can comment on or make changes to this bug.