Red Hat Bugzilla – Bug 1472119
Update documentation Configure firewall and network flows for Openstack 10
Last modified: 2017-11-09 01:26:02 EST
Description of problem:
Customers were looking for documentation how to configure firewall and network flow for Openstack 10
It exists a document for OSP 10
and some for OSP 8
but nothing for OSP10. Could you write down and publish officially and include in future versions.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Something like that ?
(In reply to Cyril Lopez from comment #3)
> Something like that ?
it is more like https://access.redhat.com/solutions/2718021 (TCP / UDP Ports used by OpenStack) or the excel file I just uploaded.
Hi could you get an update about this BZ please.
> - On Gnocchi and Aodh services, we found on our platform that they are listening on > Internal API VIP and External VIP, but this information is not listed in your
> document. Could you confirm us that these services are actively listening on VIPs ?
Yes they are, I have updated doc.
> - On the document, the format for ports used by services is this one :
> ovsdb-server Internal API Controllers/Computes TCP 6640 openvswitch database server
> With this format, we can define that ovsdb-server service listens on Internal API
> network, for Openstack controllers nodes and Compute nodes, but we cannot determine
> from WHERE they listen (on which network ? which node do they listen ?). Is it
> possible to have this information for services listed please ?
I've also updated the doc for this. The ovsdb-server is a new service but it runs on the loopback interface and there are no ports opened for 6640 in iptables of controller/compute so it's not reachable outside the node.
I've also updated the netstat section to make it obvious which networks are being listened on by adding a key for the mapping of IPs to networks.
> - On page 5 & 6, we have this kind of information :
> tcp 0 0 overcloud.localdom:8042 0.0.0.0:* LISTEN 143897/haproxy
> Does the "localdom" indicates a VIP ? Because we found similarities on our test
> platform between our netstat output and some lines in the "Netstat changes" section."
Yes, here is the output from /etc/hosts on the controller. I have added this to doc.
172.17.4.13 overcloud.storagemgmt.localdomain # FQDN of the storage mgmt VIP
192.168.24.6 overcloud.ctlplane.localdomain # FQDN of the ctlplane VIP
172.17.1.11 overcloud.internalapi.localdomain # FQDN of the internal api VIP
172.17.3.14 overcloud.storage.localdomain # FQDN of the storage VIP
10.0.0.107 overcloud.localdomain # FQDN of the external VIP
I can help keep it up to date, just need to figure out how it will be presented.
> Thanks Bob -- are you doing this officially as part of a DFG assignment?
Derek - Dan and I are in the HardwareProvisioning DFG which also has responsibility for networking