1484004 – Installing docker does not configure iptables rules and NAT properly on undercloud - no containers connectivity

Bug 1484004 - Installing docker does not configure iptables rules and NAT properly on undercloud - no containers connectivity

Summary: Installing docker does not configure iptables rules and NAT properly on under...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	instack-undercloud
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	12.0 (Pike)
Assignee:	Michele Baldessari
QA Contact:	Omri Hochman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-22 12:54 UTC by Roee Agiman
Modified:	2018-02-05 19:12 UTC (History)
CC List:	8 users (show)
Fixed In Version:	instack-undercloud-7.4.2-0.20171010064304.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-13 21:53:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1709325	None	None	None	2017-08-24 11:29:13 UTC
OpenStack gerrit	491824	None	MERGED	Remove docker --iptables=false on the undercloud	2020-08-28 20:04:12 UTC
Red Hat Product Errata	RHEA-2017:3462	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 12.0 Enhancement Advisory	2018-02-16 01:43:25 UTC

Comment 3 Omri Hochman 2017-11-30 20:09:05 UTC

verified with instack-undercloud-7.4.3-5.el7ost.noarch. 

[root@overcloud-controller-0 ~]# docker exec -ti ced8e36c0ff7 /bin/bash
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
()[root@overcloud-controller-0 /]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=53.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=54.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=54.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=58.4 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=51 time=66.0 ms


(undercloud) [stack@undercloud74 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-openvswi-INPUT  all  --  anywhere             anywhere
ironic-inspector  udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */
ACCEPT     icmp --  anywhere             anywhere             state NEW /* 001 accept all icmp ipv4 */
ACCEPT     all  --  anywhere             anywhere             state NEW /* 002 accept all to lo interface ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ssh state NEW /* 003 accept ssh ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports fs-agent state NEW /* 100 aodh_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13042 state NEW /* 100 aodh_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8777 state NEW /* 100 ceilometer_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13777 state NEW /* 100 ceilometer_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports msgsrvr state NEW /* 100 docker-registry_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13787 state NEW /* 100 docker-registry_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports armtechdaemon state NEW /* 100 glance_api_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13292 state NEW /* 100 glance_api_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8041 state NEW /* 100 gnocchi_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13041 state NEW /* 100 gnocchi_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8004 state NEW /* 100 heat_api_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13004 state NEW /* 100 heat_api_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports mmcc state NEW /* 100 ironic-inspector_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13050 state NEW /* 100 ironic-inspector_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6385 state NEW /* 100 ironic_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13385 state NEW /* 100 ironic_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports openstack-id state NEW /* 100 keystone_admin_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports commplex-main state NEW /* 100 keystone_public_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13000 state NEW /* 100 keystone_public_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports sunwebadmins state NEW /* 100 mistral_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13989 state NEW /* 100 mistral_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 9696 state NEW /* 100 neutron_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13696 state NEW /* 100 neutron_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8775 state NEW /* 100 nova_metadata_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8774 state NEW /* 100 nova_osapi_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13774 state NEW /* 100 nova_osapi_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8778 state NEW /* 100 nova_placement_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13778 state NEW /* 100 nova_placement_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8977 state NEW /* 100 panko_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13977 state NEW /* 100 panko_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports webcache state NEW /* 100 swift_proxy_server_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13808 state NEW /* 100 swift_proxy_server_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports hbci state NEW /* 100 ui_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports https state NEW /* 100 ui_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ddi-tcp-1 state NEW /* 100 zaqar_api_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 13888 state NEW /* 100 zaqar_api_haproxy_ssl ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports cslistener state NEW /* 100 zaqar_ws_haproxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports cslistener state NEW /* 100 zaqar_ws_haproxy_ssl ipv4 */
ACCEPT     udp  --  anywhere             anywhere             multiport dports ntp state NEW /* 105 ntp ipv4 */
ACCEPT     vrrp --  anywhere             anywhere             state NEW /* 106 vrrp ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports snmp-tcp-port state NEW /* 107 haproxy stats ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6379,26379 state NEW /* 108 redis ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports smc-https,6800:6810 state NEW /* 110 ceph ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports commplex-main,13000,openstack-id,13357 state NEW /* 111 keystone ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports armtechdaemon,sun-as-jpda,13292 state NEW /* 112 glance ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6080,13080,8773,13773,8774,13774,8778,13778,8775,13775 state NEW /* 113 nova ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 9696,13696 state NEW /* 114 neutron server ipv4 */
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps state NEW /* 115 neutron dhcp input ipv4 */
ACCEPT     udp  --  anywhere             anywhere             multiport dports 4789 state NEW /* 118 neutron vxlan networks ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8776,13776 state NEW /* 119 cinder ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports iscsi-target state NEW /* 120 iscsi initiator ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports memcache state NEW /* 121 memcached ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports webcache,13808 state NEW /* 122 swift proxy ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports rsync,x11,6001,6002 state NEW /* 123 swift storage ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8777,13777 state NEW /* 124 ceilometer ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports irdmi,13800,mcreport,13003,8004,13004 state NEW /* 125 heat ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https state NEW /* 126 horizon ipv4 */
ACCEPT     udp  --  anywhere             anywhere             multiport dports snmp state NEW /* 127 snmp ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports fs-agent,13042 state NEW /* 128 aodh ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8041,13041 state NEW /* 129 gnocchi-api ipv4 */
ACCEPT     udp  --  anywhere             anywhere             multiport dports tftp state NEW /* 130 tftp ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports rfb:cvsup state NEW /* 131 novnc ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports sunwebadmins,13989 state NEW /* 132 mistral ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ddi-tcp-1,13888 state NEW /* 133 zaqar ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports cslistener state NEW /* 134 zaqar websockets ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 6385,13385 state NEW /* 135 ironic ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8779,13779 state NEW /* 136 trove ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports mmcc state NEW /* 137 ironic-inspector ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports msgsrvr,13787 state NEW /* 138 docker registry ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports radan-http state NEW /* 139 apache vhost ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports hbci,https state NEW /* 142 tripleo-ui ipv4 */
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 8977,13977 state NEW /* 143 panko-api ipv4 */
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
LOG        all  --  anywhere             anywhere             state NEW /* 998 log all ipv4 */ LOG level warning
DROP       all  --  anywhere             anywhere             state NEW /* 999 drop all ipv4 */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-ISOLATION  all  --  anywhere             anywhere
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
neutron-filter-top  all  --  anywhere             anywhere
neutron-openvswi-FORWARD  all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             192.168.0.0/24       state NEW /* 140 network cidr nat ipv4 */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-openvswi-OUTPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootpc state NEW /* 116 neutron dhcp output ipv4 */

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain ironic-inspector (1 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-openvswi-local  all  --  anywhere             anywhere

Chain neutron-openvswi-FORWARD (1 references)
target     prot opt source               destination

Chain neutron-openvswi-INPUT (1 references)
target     prot opt source               destination

Chain neutron-openvswi-OUTPUT (1 references)
target     prot opt source               destination

Chain neutron-openvswi-local (1 references)
target     prot opt source               destination

Chain neutron-openvswi-sg-chain (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain neutron-openvswi-sg-fallback (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /* Default drop rule for unmatched traffic. */

Comment 6 errata-xmlrpc 2017-12-13 21:53:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462

Note You need to log in before you can comment on or make changes to this bug.