1397964 – Controller nodes block GRE tunelling

Bug 1397964 - Controller nodes block GRE tunelling

Summary: Controller nodes block GRE tunelling

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-tripleo
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	10.0 (Newton)
Assignee:	Brent Eagles
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-23 17:03 UTC by Jakub Libosvar
Modified:	2016-12-14 16:34 UTC (History)
CC List:	16 users (show)
Fixed In Version:	puppet-tripleo-5.4.0-3.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-14 16:34:53 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2948	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC
OpenStack gerrit	402709	None	None	None	2016-11-25 15:05:33 UTC
Launchpad	1644360	None	None	None	2016-11-23 21:36:12 UTC

Description Jakub Libosvar 2016-11-23 17:03:00 UTC

Description of problem:
controller nodes have following iptables rule for allowing gre tunneling for Neutron:
-A INPUT -p gre -m comment --comment "136 neutron gre networks" -m state --state NEW -j ACCEPT

But gre doesn't support conntrack which means this rule won't get matched and all GRE packets coming to controller nodes are rejected. Including DHCP discoveries, so impact is that instances never get IP.

The iptables rule shouldn't use -m state and allow all GRE packets.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.1.0-3.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy OSP 10 with director
2. Create GRE tenant network
3. Boot instance on GRE network

Actual results:
Instance won't get IP address because GRE packets on controllers are dropped

Expected results:


Additional info:

Comment 1 Brent Eagles 2016-11-24 20:43:08 UTC

Upstream patch against master has been submitted: https://review.openstack.org/#/c/401461/ 

It's passing CI and visual inspection of iptables file on CI nodes verifies proper GRE rule. Needs to be merged before backporting to newton upstream. I'll update the external tracker once the newton backport has been submitted.

Comment 3 Marian Krcmarik 2016-11-26 10:49:43 UTC

I took the patch, patched puppet-tripleo in overcloud-full image and redeployed overcloud and now It works for me correctly.

Comment 4 Brent Eagles 2016-11-28 13:44:48 UTC

Upstream patch https://review.openstack.org/402709 merged to newton upstream on Friday, Nov. 25.

Comment 8 errata-xmlrpc 2016-12-14 16:34:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.