Bug 1397964 - Controller nodes block GRE tunelling
Summary: Controller nodes block GRE tunelling
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 10.0 (Newton)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 10.0 (Newton)
Assignee: Brent Eagles
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-23 17:03 UTC by Jakub Libosvar
Modified: 2016-12-14 16:34 UTC (History)
16 users (show)

Fixed In Version: puppet-tripleo-5.4.0-3.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-14 16:34:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 402709 None None None 2016-11-25 15:05:33 UTC
Launchpad 1644360 None None None 2016-11-23 21:36:12 UTC

Description Jakub Libosvar 2016-11-23 17:03:00 UTC
Description of problem:
controller nodes have following iptables rule for allowing gre tunneling for Neutron:
-A INPUT -p gre -m comment --comment "136 neutron gre networks" -m state --state NEW -j ACCEPT

But gre doesn't support conntrack which means this rule won't get matched and all GRE packets coming to controller nodes are rejected. Including DHCP discoveries, so impact is that instances never get IP.

The iptables rule shouldn't use -m state and allow all GRE packets.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-5.1.0-3.el7ost.noarch

How reproducible:
Always

Steps to Reproduce:
1. Deploy OSP 10 with director
2. Create GRE tenant network
3. Boot instance on GRE network

Actual results:
Instance won't get IP address because GRE packets on controllers are dropped

Expected results:


Additional info:

Comment 1 Brent Eagles 2016-11-24 20:43:08 UTC
Upstream patch against master has been submitted: https://review.openstack.org/#/c/401461/ 

It's passing CI and visual inspection of iptables file on CI nodes verifies proper GRE rule. Needs to be merged before backporting to newton upstream. I'll update the external tracker once the newton backport has been submitted.

Comment 3 Marian Krcmarik 2016-11-26 10:49:43 UTC
I took the patch, patched puppet-tripleo in overcloud-full image and redeployed overcloud and now It works for me correctly.

Comment 4 Brent Eagles 2016-11-28 13:44:48 UTC
Upstream patch https://review.openstack.org/402709 merged to newton upstream on Friday, Nov. 25.

Comment 8 errata-xmlrpc 2016-12-14 16:34:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.