Bug 1472119 - Update documentation Configure firewall and network flows for Openstack 10
Update documentation Configure firewall and network flows for Openstack 10
Status: ASSIGNED
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
10.0 (Newton)
x86_64 Linux
urgent Severity urgent
: async
: 10.0 (Newton)
Assigned To: Martin Lopes
RHOS Documentation Team
: ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-18 02:27 EDT by Edu Alcaniz
Modified: 2017-09-17 02:47 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Edu Alcaniz 2017-07-18 02:27:07 EDT
Description of problem:
Customers were looking for documentation how to configure firewall and network flow for Openstack 10

It exists a document for OSP 10

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html-single/configure_firewall_rules_for_red_hat_openstack_platform_director/


and some for OSP 8

https://access.redhat.com/solutions/2718021


but nothing for OSP10. Could you write down and publish officially and include in future versions. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 3 Cyril Lopez 2017-07-18 03:14:41 EDT
Something like that ?

http://tripleo.org/advanced_deployment/security_hardening.html#firewall-management
Comment 5 Edu Alcaniz 2017-07-18 04:01:23 EDT
(In reply to Cyril Lopez from comment #3)
> Something like that ?
> 
> http://tripleo.org/advanced_deployment/security_hardening.html#firewall-
> management

it is more like  https://access.redhat.com/solutions/2718021 (TCP / UDP Ports used by OpenStack) or the excel file I just uploaded.
Comment 15 Edu Alcaniz 2017-08-14 07:53:45 EDT
Hi could you get an update about this BZ please. 


Edu Alcaniz
Comment 28 Bob Fournier 2017-08-25 14:32:45 EDT
> -  On Gnocchi and Aodh services, we found on our platform that they are listening on > Internal API VIP and External VIP, but this information is not listed in your 
> document. Could you confirm us that these services are actively listening on VIPs ?

Yes they are, I have updated doc.

> -  On the document, the format for ports used by services is this one : 
> ovsdb-server Internal API Controllers/Computes TCP 6640 openvswitch database server

> With this format, we can define that ovsdb-server service listens on Internal API 
> network, for Openstack controllers nodes and Compute nodes, but we cannot determine
> from WHERE they listen (on which network ? which node do they listen ?). Is it
> possible to have this information for services listed please ?

I've also updated the doc for this. The ovsdb-server is a new service but it runs on the loopback interface and there are no ports opened for 6640 in iptables of controller/compute so it's not reachable outside the node.  

I've also updated the netstat section to make it obvious which networks are being listened on by adding a key for the mapping of IPs to networks.

> - On page 5 & 6, we have this kind of information : 
> tcp 0 0 overcloud.localdom:8042 0.0.0.0:* LISTEN 143897/haproxy

> Does the "localdom" indicates a VIP ? Because we found similarities on our test 
> platform between our netstat output and some lines in the "Netstat changes" section."

Yes, here is the output from /etc/hosts on the controller.   I have added this to doc.
172.17.4.13	overcloud.storagemgmt.localdomain	# FQDN of the storage mgmt VIP
192.168.24.6	overcloud.ctlplane.localdomain	# FQDN of the ctlplane VIP
172.17.1.11	overcloud.internalapi.localdomain	# FQDN of the internal api VIP
172.17.3.14	overcloud.storage.localdomain	# FQDN of the storage VIP
10.0.0.107	overcloud.localdomain	# FQDN of the external VIP
Comment 32 Bob Fournier 2017-09-05 10:37:36 EDT
I can help keep it up to date, just need to figure out how it will be presented.
Comment 34 Bob Fournier 2017-09-05 12:36:49 EDT
> Thanks Bob -- are you doing this officially as part of a DFG assignment?

Derek - Dan and I are in the HardwareProvisioning DFG which also has responsibility for networking

Note You need to log in before you can comment on or make changes to this bug.