Hide Forgot
verified with instack-undercloud-7.4.3-5.el7ost.noarch. [root@overcloud-controller-0 ~]# docker exec -ti ced8e36c0ff7 /bin/bash tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified ()[root@overcloud-controller-0 /]# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=51 time=53.8 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=51 time=54.7 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=51 time=54.6 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=51 time=58.4 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=51 time=66.0 ms (undercloud) [stack@undercloud74 ~]$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination neutron-openvswi-INPUT all -- anywhere anywhere ironic-inspector udp -- anywhere anywhere udp dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED /* 000 accept related established rules ipv4 */ ACCEPT icmp -- anywhere anywhere state NEW /* 001 accept all icmp ipv4 */ ACCEPT all -- anywhere anywhere state NEW /* 002 accept all to lo interface ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports ssh state NEW /* 003 accept ssh ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports fs-agent state NEW /* 100 aodh_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13042 state NEW /* 100 aodh_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8777 state NEW /* 100 ceilometer_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13777 state NEW /* 100 ceilometer_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports msgsrvr state NEW /* 100 docker-registry_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13787 state NEW /* 100 docker-registry_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon state NEW /* 100 glance_api_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13292 state NEW /* 100 glance_api_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8041 state NEW /* 100 gnocchi_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13041 state NEW /* 100 gnocchi_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8004 state NEW /* 100 heat_api_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13004 state NEW /* 100 heat_api_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports mmcc state NEW /* 100 ironic-inspector_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13050 state NEW /* 100 ironic-inspector_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 6385 state NEW /* 100 ironic_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13385 state NEW /* 100 ironic_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports openstack-id state NEW /* 100 keystone_admin_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports commplex-main state NEW /* 100 keystone_public_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13000 state NEW /* 100 keystone_public_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports sunwebadmins state NEW /* 100 mistral_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13989 state NEW /* 100 mistral_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 9696 state NEW /* 100 neutron_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13696 state NEW /* 100 neutron_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8775 state NEW /* 100 nova_metadata_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8774 state NEW /* 100 nova_osapi_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13774 state NEW /* 100 nova_osapi_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8778 state NEW /* 100 nova_placement_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13778 state NEW /* 100 nova_placement_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8977 state NEW /* 100 panko_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13977 state NEW /* 100 panko_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports webcache state NEW /* 100 swift_proxy_server_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13808 state NEW /* 100 swift_proxy_server_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports hbci state NEW /* 100 ui_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports https state NEW /* 100 ui_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports ddi-tcp-1 state NEW /* 100 zaqar_api_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 13888 state NEW /* 100 zaqar_api_haproxy_ssl ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports cslistener state NEW /* 100 zaqar_ws_haproxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports cslistener state NEW /* 100 zaqar_ws_haproxy_ssl ipv4 */ ACCEPT udp -- anywhere anywhere multiport dports ntp state NEW /* 105 ntp ipv4 */ ACCEPT vrrp -- anywhere anywhere state NEW /* 106 vrrp ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports snmp-tcp-port state NEW /* 107 haproxy stats ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 6379,26379 state NEW /* 108 redis ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports smc-https,6800:6810 state NEW /* 110 ceph ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports commplex-main,13000,openstack-id,13357 state NEW /* 111 keystone ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon,sun-as-jpda,13292 state NEW /* 112 glance ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 6080,13080,8773,13773,8774,13774,8778,13778,8775,13775 state NEW /* 113 nova ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 9696,13696 state NEW /* 114 neutron server ipv4 */ ACCEPT udp -- anywhere anywhere multiport dports bootps state NEW /* 115 neutron dhcp input ipv4 */ ACCEPT udp -- anywhere anywhere multiport dports 4789 state NEW /* 118 neutron vxlan networks ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8776,13776 state NEW /* 119 cinder ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports iscsi-target state NEW /* 120 iscsi initiator ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports memcache state NEW /* 121 memcached ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports webcache,13808 state NEW /* 122 swift proxy ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports rsync,x11,6001,6002 state NEW /* 123 swift storage ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8777,13777 state NEW /* 124 ceilometer ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports irdmi,13800,mcreport,13003,8004,13004 state NEW /* 125 heat ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports http,https state NEW /* 126 horizon ipv4 */ ACCEPT udp -- anywhere anywhere multiport dports snmp state NEW /* 127 snmp ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports fs-agent,13042 state NEW /* 128 aodh ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8041,13041 state NEW /* 129 gnocchi-api ipv4 */ ACCEPT udp -- anywhere anywhere multiport dports tftp state NEW /* 130 tftp ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports rfb:cvsup state NEW /* 131 novnc ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports sunwebadmins,13989 state NEW /* 132 mistral ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports ddi-tcp-1,13888 state NEW /* 133 zaqar ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports cslistener state NEW /* 134 zaqar websockets ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 6385,13385 state NEW /* 135 ironic ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8779,13779 state NEW /* 136 trove ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports mmcc state NEW /* 137 ironic-inspector ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports msgsrvr,13787 state NEW /* 138 docker registry ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports radan-http state NEW /* 139 apache vhost ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports hbci,https state NEW /* 142 tripleo-ui ipv4 */ ACCEPT tcp -- anywhere anywhere multiport dports 8977,13977 state NEW /* 143 panko-api ipv4 */ ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited LOG all -- anywhere anywhere state NEW /* 998 log all ipv4 */ LOG level warning DROP all -- anywhere anywhere state NEW /* 999 drop all ipv4 */ Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere neutron-filter-top all -- anywhere anywhere neutron-openvswi-FORWARD all -- anywhere anywhere ACCEPT tcp -- anywhere 192.168.0.0/24 state NEW /* 140 network cidr nat ipv4 */ Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-openvswi-OUTPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere multiport dports bootpc state NEW /* 116 neutron dhcp output ipv4 */ Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ironic-inspector (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain neutron-filter-top (2 references) target prot opt source destination neutron-openvswi-local all -- anywhere anywhere Chain neutron-openvswi-FORWARD (1 references) target prot opt source destination Chain neutron-openvswi-INPUT (1 references) target prot opt source destination Chain neutron-openvswi-OUTPUT (1 references) target prot opt source destination Chain neutron-openvswi-local (1 references) target prot opt source destination Chain neutron-openvswi-sg-chain (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain neutron-openvswi-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462