Bug 1472119 - Update documentation Configure firewall and network flows for Openstack 10
Update documentation Configure firewall and network flows for Openstack 10
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
10.0 (Newton)
x86_64 Linux
urgent Severity urgent
: async
: 10.0 (Newton)
Assigned To: Martin Lopes
RHOS Documentation Team
: ZStream
Depends On:
  Show dependency treegraph
Reported: 2017-07-18 02:27 EDT by Edu Alcaniz
Modified: 2017-11-09 01:26 EST (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-11-09 01:26:02 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Edu Alcaniz 2017-07-18 02:27:07 EDT
Description of problem:
Customers were looking for documentation how to configure firewall and network flow for Openstack 10

It exists a document for OSP 10


and some for OSP 8


but nothing for OSP10. Could you write down and publish officially and include in future versions. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 3 Cyril Lopez 2017-07-18 03:14:41 EDT
Something like that ?

Comment 5 Edu Alcaniz 2017-07-18 04:01:23 EDT
(In reply to Cyril Lopez from comment #3)
> Something like that ?
> http://tripleo.org/advanced_deployment/security_hardening.html#firewall-
> management

it is more like  https://access.redhat.com/solutions/2718021 (TCP / UDP Ports used by OpenStack) or the excel file I just uploaded.
Comment 15 Edu Alcaniz 2017-08-14 07:53:45 EDT
Hi could you get an update about this BZ please. 

Edu Alcaniz
Comment 28 Bob Fournier 2017-08-25 14:32:45 EDT
> -  On Gnocchi and Aodh services, we found on our platform that they are listening on > Internal API VIP and External VIP, but this information is not listed in your 
> document. Could you confirm us that these services are actively listening on VIPs ?

Yes they are, I have updated doc.

> -  On the document, the format for ports used by services is this one : 
> ovsdb-server Internal API Controllers/Computes TCP 6640 openvswitch database server

> With this format, we can define that ovsdb-server service listens on Internal API 
> network, for Openstack controllers nodes and Compute nodes, but we cannot determine
> from WHERE they listen (on which network ? which node do they listen ?). Is it
> possible to have this information for services listed please ?

I've also updated the doc for this. The ovsdb-server is a new service but it runs on the loopback interface and there are no ports opened for 6640 in iptables of controller/compute so it's not reachable outside the node.  

I've also updated the netstat section to make it obvious which networks are being listened on by adding a key for the mapping of IPs to networks.

> - On page 5 & 6, we have this kind of information : 
> tcp 0 0 overcloud.localdom:8042* LISTEN 143897/haproxy

> Does the "localdom" indicates a VIP ? Because we found similarities on our test 
> platform between our netstat output and some lines in the "Netstat changes" section."

Yes, here is the output from /etc/hosts on the controller.   I have added this to doc.	overcloud.storagemgmt.localdomain	# FQDN of the storage mgmt VIP	overcloud.ctlplane.localdomain	# FQDN of the ctlplane VIP	overcloud.internalapi.localdomain	# FQDN of the internal api VIP	overcloud.storage.localdomain	# FQDN of the storage VIP	overcloud.localdomain	# FQDN of the external VIP
Comment 32 Bob Fournier 2017-09-05 10:37:36 EDT
I can help keep it up to date, just need to figure out how it will be presented.
Comment 34 Bob Fournier 2017-09-05 12:36:49 EDT
> Thanks Bob -- are you doing this officially as part of a DFG assignment?

Derek - Dan and I are in the HardwareProvisioning DFG which also has responsibility for networking

Note You need to log in before you can comment on or make changes to this bug.