Bug 1304441 - Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
unspecified Severity high
: y3
: 7.0 (Kilo)
Assigned To: Emilien Macchi
Marius Cornea
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-03 10:57 EST by Marius Cornea
Modified: 2016-02-18 11:52 EST (History)
7 users (show)

See Also:
Fixed In Version: instack-undercloud-2.1.2-38.el7ost
Doc Type: Bug Fix
Doc Text:
The Undercloud's firewall lacked a port for Ceilometer's Public API over SSL. This fix adds the port (13777) to the Undercloud's installation script. Now Ceilometer accepts Public API requests over SSL.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-18 11:52:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 276202 None None None 2016-02-04 07:57 EST

  None (edit)
Description Marius Cornea 2016-02-03 10:57:29 EST
Description of problem:
Ceilometer public API SSL port is not allowed in the undercloud firewall.

Version-Release number of selected component (if applicable):
instack-undercloud-2.1.2-37.el7ost.noarch

How reproducible:
100%

Service: metering
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |      http://192.0.2.1:8777/      |
|      id     | 2c30baa37bc84927b1933b2cde907769 |
| internalURL |      http://192.0.2.1:8777/      |
|  publicURL  |     https://192.0.2.2:13777/     |
|    region   |            regionOne             |
+-------------+----------------------------------+

stack@instack:~>>> sudo iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
discovery  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
nova-api-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
neutron-openvswi-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8777
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8779
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8080,13808
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8000,8003,8004,13800,13003,13004
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5672
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6385,13385
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9191
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9292,13292
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:5999
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 6080,13080
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 9696,13696
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5000,35357,13000,13357
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8773,8774,8775,13773,13774,13775
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:69
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8088
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8585
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5050
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

To add it:

# sudo iptables -I INPUT -p tcp -m tcp --dport 13777 -j ACCEPT
Comment 2 Marius Cornea 2016-02-16 13:24:55 EST
instack-undercloud-2.1.2-39.el7ost.noarch

[stack@instack ~]$ sudo iptables -nL INPUT | grep 13777
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 8777,13777
Comment 4 errata-xmlrpc 2016-02-18 11:52:16 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0264.html

Note You need to log in before you can comment on or make changes to this bug.