FailedQA: Environment: instack-undercloud-7.4.9-2.el7ost.noarch [stack@undercloud-0 ~]$ sudo iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-openvswi-FORWARD all -- anywhere anywhere ACCEPT all -- anywhere 192.168.24.0/24 state NEW /* 140 destination network cidr nat ipv4 */ DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere 192.168.24.0/24 /* 140 network cidr nat ipv4 */ state NEW ACCEPT all -- 192.168.24.0/24 anywhere state NEW /* 140 source network cidr nat ipv4 */ ACCEPT tcp -- anywhere 192.168.122.0/24 /* 141 libvirt network nat ipv4 */ state NEW
(In reply to Alexander Chuzhoy from comment #5) > FailedQA: > Environment: > instack-undercloud-7.4.9-2.el7ost.noarch > > [stack@undercloud-0 ~]$ sudo iptables -L FORWARD > Chain FORWARD (policy DROP) ... > ACCEPT all -- anywhere 192.168.24.0/24 state NEW /* > 140 destination network cidr nat ipv4 */ ... > ACCEPT all -- 192.168.24.0/24 anywhere state NEW /* > 140 source network cidr nat ipv4 */ Those rules + the RELATED,ESTABLISHED rule should allow traffic from and to the ctlplane and so we should be good no?
Apparently not enough: I'd suggest adding at least: iptables -I FORWARD -p icmp -s 192.168.24.0/24 -j ACCEPT iptables -I FORWARD -p icmp -d 192.168.24.0/24 -j ACCEPT iptables -I FORWARD -p udp -s 192.168.24.0/24 -j ACCEPT iptables -I FORWARD -p udp -d 192.168.24.0/24 -j ACCEPT
(In reply to Alexander Chuzhoy from comment #5) > FailedQA: > Environment: > instack-undercloud-7.4.9-2.el7ost.noarch > > [stack@undercloud-0 ~]$ sudo iptables -L FORWARD > Chain FORWARD (policy DROP) > target prot opt source destination > neutron-filter-top all -- anywhere anywhere > neutron-openvswi-FORWARD all -- anywhere anywhere > ACCEPT all -- anywhere 192.168.24.0/24 state NEW /* > 140 destination network cidr nat ipv4 */ > DOCKER-ISOLATION all -- anywhere anywhere > DOCKER all -- anywhere anywhere > ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > ACCEPT tcp -- anywhere 192.168.24.0/24 /* 140 network > cidr nat ipv4 */ state NEW This indicates it wasn't a clean install. This won't exist if you only use the new package. > ACCEPT all -- 192.168.24.0/24 anywhere state NEW /* > 140 source network cidr nat ipv4 */ > ACCEPT tcp -- anywhere 192.168.122.0/24 /* 141 libvirt > network nat ipv4 */ state NEW Please recheck with a fresh install. Updates should not be affected because ip_forward should already be set to 1 which will prevent docker from switch the forward rule to DROP.
Fresh deployment of puddle 2018-03-10.1 have a correct setting. (undercloud) [stack@undercloud-0 ~]$ sudo iptables -S | grep FORW -P FORWARD ACCEPT -N neutron-openvswi-FORWARD -A FORWARD -j neutron-filter-top -A FORWARD -j neutron-openvswi-FORWARD -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -d 192.168.24.0/24 -m state --state NEW -m comment --comment "140 destination network cidr nat ipv4" -j ACCEPT -A FORWARD -s 192.168.24.0/24 -m state --state NEW -m comment --comment "140 source network cidr nat ipv4" -j ACCEPT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0607