Description of problem: controller nodes have following iptables rule for allowing gre tunneling for Neutron: -A INPUT -p gre -m comment --comment "136 neutron gre networks" -m state --state NEW -j ACCEPT But gre doesn't support conntrack which means this rule won't get matched and all GRE packets coming to controller nodes are rejected. Including DHCP discoveries, so impact is that instances never get IP. The iptables rule shouldn't use -m state and allow all GRE packets. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-5.1.0-3.el7ost.noarch How reproducible: Always Steps to Reproduce: 1. Deploy OSP 10 with director 2. Create GRE tenant network 3. Boot instance on GRE network Actual results: Instance won't get IP address because GRE packets on controllers are dropped Expected results: Additional info:
Upstream patch against master has been submitted: https://review.openstack.org/#/c/401461/ It's passing CI and visual inspection of iptables file on CI nodes verifies proper GRE rule. Needs to be merged before backporting to newton upstream. I'll update the external tracker once the newton backport has been submitted.
I took the patch, patched puppet-tripleo in overcloud-full image and redeployed overcloud and now It works for me correctly.
Upstream patch https://review.openstack.org/402709 merged to newton upstream on Friday, Nov. 25.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2948.html