Bug 1304441 - Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Summary: Ceilometer public API SSL port(13777) is not allowed in the undercloud firewall
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
Target Milestone: y3
: 7.0 (Kilo)
Assignee: Emilien Macchi
QA Contact: Marius Cornea
Depends On:
TreeView+ depends on / blocked
Reported: 2016-02-03 15:57 UTC by Marius Cornea
Modified: 2016-02-18 16:52 UTC (History)
7 users (show)

Fixed In Version: instack-undercloud-2.1.2-38.el7ost
Doc Type: Bug Fix
Doc Text:
The Undercloud's firewall lacked a port for Ceilometer's Public API over SSL. This fix adds the port (13777) to the Undercloud's installation script. Now Ceilometer accepts Public API requests over SSL.
Clone Of:
Last Closed: 2016-02-18 16:52:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 276202 None None None 2016-02-04 12:57:12 UTC
Red Hat Product Errata RHBA-2016:0264 normal SHIPPED_LIVE Red Hat Enterprise Linux OSP 7 director Bug Fix Advisory 2016-02-18 21:41:29 UTC

Description Marius Cornea 2016-02-03 15:57:29 UTC
Description of problem:
Ceilometer public API SSL port is not allowed in the undercloud firewall.

Version-Release number of selected component (if applicable):

How reproducible:

Service: metering
|   Property  |              Value               |
|   adminURL  |      |
|      id     | 2c30baa37bc84927b1933b2cde907769 |
| internalURL |      |
|  publicURL  |     |
|    region   |            regionOne             |

stack@instack:~>>> sudo iptables -nL INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
discovery  udp  --              udp dpt:67
nova-api-INPUT  all  --             
neutron-openvswi-INPUT  all  --             
ACCEPT     tcp  --              tcp dpt:8777
ACCEPT     tcp  --              multiport dports 8779
ACCEPT     tcp  --              multiport dports 8080,13808
ACCEPT     tcp  --              multiport dports 8000,8003,8004,13800,13003,13004
ACCEPT     tcp  --              tcp dpt:5672
ACCEPT     tcp  --              tcp dpt:80
ACCEPT     tcp  --              multiport dports 6385,13385
ACCEPT     tcp  --              tcp dpt:9191
ACCEPT     tcp  --              multiport dports 9292,13292
ACCEPT     tcp  --              multiport dports 5900:5999
ACCEPT     tcp  --              multiport dports 6080,13080
ACCEPT     tcp  --              multiport dports 9696,13696
ACCEPT     tcp  --              multiport dports 5000,35357,13000,13357
ACCEPT     tcp  --              multiport dports 8773,8774,8775,13773,13774,13775
ACCEPT     udp  --              udp dpt:69
ACCEPT     tcp  --              tcp dpt:8088
ACCEPT     tcp  --              tcp dpt:8585
ACCEPT     tcp  --              tcp dpt:5050
ACCEPT     all  --              state RELATED,ESTABLISHED
ACCEPT     icmp --             
ACCEPT     all  --             
ACCEPT     tcp  --              state NEW tcp dpt:22
REJECT     all  --              reject-with icmp-host-prohibited

To add it:

# sudo iptables -I INPUT -p tcp -m tcp --dport 13777 -j ACCEPT

Comment 2 Marius Cornea 2016-02-16 18:24:55 UTC

[stack@instack ~]$ sudo iptables -nL INPUT | grep 13777
ACCEPT     tcp  --              multiport dports 8777,13777

Comment 4 errata-xmlrpc 2016-02-18 16:52:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.