Bug 1304441 - Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Summary: Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: y3
: 7.0 (Kilo)
Assignee: Emilien Macchi
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-03 15:57 UTC by Marius Cornea
Modified: 2016-02-18 16:52 UTC (History)
7 users (show)

Fixed In Version: instack-undercloud-2.1.2-38.el7ost
Doc Type: Bug Fix
Doc Text:
The Undercloud's firewall lacked a port for Ceilometer's Public API over SSL. This fix adds the port (13777) to the Undercloud's installation script. Now Ceilometer accepts Public API requests over SSL.
Clone Of:
Environment:
Last Closed: 2016-02-18 16:52:16 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 276202 None None None 2016-02-04 12:57:12 UTC
Red Hat Product Errata RHBA-2016:0264 normal SHIPPED_LIVE Red Hat Enterprise Linux OSP 7 director Bug Fix Advisory 2016-02-18 21:41:29 UTC

Description Marius Cornea 2016-02-03 15:57:29 UTC
Description of problem:
Ceilometer public API SSL port is not allowed in the undercloud firewall.

Version-Release number of selected component (if applicable):
instack-undercloud-2.1.2-37.el7ost.noarch

How reproducible:
100%

Service: metering
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |      http://192.0.2.1:8777/      |
|      id     | 2c30baa37bc84927b1933b2cde907769 |
| internalURL |      http://192.0.2.1:8777/      |
|  publicURL  |     https://192.0.2.2:13777/     |
|    region   |            regionOne             |
+-------------+----------------------------------+

stack@instack:~>>> sudo iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
discovery  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-openvswi-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8777
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8779
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080,13808
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000,8003,8004,13800,13003,13004
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5672
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6385,13385
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9191
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292,13292
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:5999
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080,13080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696,13696
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,35357,13000,13357
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8773,8774,8775,13773,13774,13775
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:69
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8088
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8585
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5050
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

To add it:

# sudo iptables -I INPUT -p tcp -m tcp --dport 13777 -j ACCEPT

Comment 2 Marius Cornea 2016-02-16 18:24:55 UTC
instack-undercloud-2.1.2-39.el7ost.noarch

[stack@instack ~]$ sudo iptables -nL INPUT | grep 13777
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8777,13777

Comment 4 errata-xmlrpc 2016-02-18 16:52:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0264.html


Note You need to log in before you can comment on or make changes to this bug.