Bug 1550976 - newer versions of docker switch FORWARD chain to DROP by default [openstack-12]
Summary: newer versions of docker switch FORWARD chain to DROP by default [openstack-12]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z2
: 12.0 (Pike)
Assignee: James Slagle
QA Contact: Gurenko Alex
URL:
Whiteboard:
Depends On: 1543580 1553848 1553849
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-02 13:04 UTC by Mike Burns
Modified: 2018-08-03 18:30 UTC (History)
25 users (show)

Fixed In Version: instack-undercloud-7.4.9-2.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1543580
Environment:
Last Closed: 2018-03-28 17:32:48 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1750194 0 None None None 2018-03-02 13:04:06 UTC
OpenStack gerrit 548616 0 None None None 2018-03-02 13:07:59 UTC
Red Hat Product Errata RHBA-2018:0607 0 None None None 2018-03-28 17:33:08 UTC

Comment 5 Alexander Chuzhoy 2018-03-08 15:18:52 UTC 
FailedQA:
Environment:
instack-undercloud-7.4.9-2.el7ost.noarch

[stack@undercloud-0 ~]$ sudo iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination         
neutron-filter-top  all  --  anywhere             anywhere            
neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             192.168.24.0/24      state NEW /* 140 destination network cidr nat ipv4 */
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             192.168.24.0/24      /* 140 network cidr nat ipv4 */ state NEW
ACCEPT     all  --  192.168.24.0/24      anywhere             state NEW /* 140 source network cidr nat ipv4 */
ACCEPT     tcp  --  anywhere             192.168.122.0/24     /* 141 libvirt network nat ipv4 */ state NEW
Comment 6 Michele Baldessari 2018-03-08 15:48:35 UTC 
(In reply to Alexander Chuzhoy from comment #5)
> FailedQA:
> Environment:
> instack-undercloud-7.4.9-2.el7ost.noarch
> 
> [stack@undercloud-0 ~]$ sudo iptables -L FORWARD
> Chain FORWARD (policy DROP)
...
> ACCEPT     all  --  anywhere             192.168.24.0/24      state NEW /*
> 140 destination network cidr nat ipv4 */
...
> ACCEPT     all  --  192.168.24.0/24      anywhere             state NEW /*
> 140 source network cidr nat ipv4 */

Those rules + the RELATED,ESTABLISHED rule should allow traffic from and to the ctlplane and so we should be good no?
Comment 7 Alexander Chuzhoy 2018-03-08 18:24:07 UTC 
Apparently not enough:

I'd suggest adding at least:

iptables -I FORWARD -p icmp -s 192.168.24.0/24 -j ACCEPT
iptables -I FORWARD -p icmp -d 192.168.24.0/24 -j ACCEPT
iptables -I FORWARD -p udp -s 192.168.24.0/24 -j ACCEPT
iptables -I FORWARD -p udp -d 192.168.24.0/24 -j ACCEPT
Comment 10 Alex Schultz 2018-03-09 17:04:51 UTC 
(In reply to Alexander Chuzhoy from comment #5)
> FailedQA:
> Environment:
> instack-undercloud-7.4.9-2.el7ost.noarch
> 
> [stack@undercloud-0 ~]$ sudo iptables -L FORWARD
> Chain FORWARD (policy DROP)
> target     prot opt source               destination         
> neutron-filter-top  all  --  anywhere             anywhere            
> neutron-openvswi-FORWARD  all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             192.168.24.0/24      state NEW /*
> 140 destination network cidr nat ipv4 */
> DOCKER-ISOLATION  all  --  anywhere             anywhere            
> DOCKER     all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere             ctstate
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     all  --  anywhere             anywhere            
> ACCEPT     tcp  --  anywhere             192.168.24.0/24      /* 140 network
> cidr nat ipv4 */ state NEW

This indicates it wasn't a clean install. This won't exist if you only use the new package. 

> ACCEPT     all  --  192.168.24.0/24      anywhere             state NEW /*
> 140 source network cidr nat ipv4 */
> ACCEPT     tcp  --  anywhere             192.168.122.0/24     /* 141 libvirt
> network nat ipv4 */ state NEW


Please recheck with a fresh install.  Updates should not be affected because ip_forward should already be set to 1 which will prevent docker from switch the forward rule to DROP.
Comment 12 Gurenko Alex 2018-03-14 10:38:32 UTC 
Fresh deployment of puddle 2018-03-10.1 have a correct setting.

(undercloud) [stack@undercloud-0 ~]$ sudo iptables -S | grep FORW
-P FORWARD ACCEPT
-N neutron-openvswi-FORWARD
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-openvswi-FORWARD
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -d 192.168.24.0/24 -m state --state NEW -m comment --comment "140 destination network cidr nat ipv4" -j ACCEPT
-A FORWARD -s 192.168.24.0/24 -m state --state NEW -m comment --comment "140 source network cidr nat ipv4" -j ACCEPT
Comment 17 errata-xmlrpc 2018-03-28 17:32:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0607
Note You need to log in before you can comment on or make changes to this bug.