Bug 1571182
| Summary: | iptables blocks pxe boot on undercloud after ffu from 10 to 13 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Yolanda Robla <yroblamo> | ||||||
| Component: | openstack-tripleo | Assignee: | James Slagle <jslagle> | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | Arik Chernetsky <achernet> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 13.0 (Queens) | CC: | bfournie, mburns, sathlang | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-04-24 12:33:44 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Yolanda Robla
2018-04-24 09:06:17 UTC
Created attachment 1425876 [details]
sosreport on 13
In my initial newton deployment i get: rpm -qa | grep iptables iptables-services-1.4.21-18.3.el7_4.x86_64 iptables-1.4.21-18.3.el7_4.x86_64 Chain INPUT (policy ACCEPT) target prot opt source destination neutron-openvswi-INPUT all -- anywhere anywhere ironic-inspector udp -- anywhere anywhere udp dpt:bootps ACCEPT all -- anywhere anywhere /* 000 accept related established rules */ state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere /* 001 accept all icmp */ state NEW ACCEPT all -- anywhere anywhere /* 002 accept all to lo interface */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports ssh /* 003 accept ssh */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 27019 /* 101 mongodb_config */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 27018 /* 102 mongodb_sharding */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 27017 /* 103 mongod */ state NEW ACCEPT udp -- anywhere anywhere multiport dports ntp /* 105 ntp */ state NEW ACCEPT vrrp -- anywhere anywhere /* 106 vrrp */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports snmp-tcp-port /* 107 haproxy stats */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 6379,26379 /* 108 redis */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports smc-https,6800:6810 /* 110 ceph */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports commplex-main,13000,openstack-id,13357 /* 111 keystone */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports armtechdaemon,sun-as-jpda,13292 /* 112 glance */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 6080,13080,8773,13773,8774,13774,8775,13775 /* 113 nova */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 9696,13696 /* 114 neutron server */ state NEW ACCEPT udp -- anywhere anywhere multiport dports bootps /* 115 neutron dhcp input */ state NEW ACCEPT udp -- anywhere anywhere multiport dports 4789 /* 118 neutron vxlan networks */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 8776,13776 /* 119 cinder */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports iscsi-target /* 120 iscsi initiator */ state NEW ACCEPT tcp -- localhost anywhere multiport dports memcache /* 121 memcached */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports webcache,13808 /* 122 swift proxy */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports rsync,x11,6001,6002 /* 123 swift storage */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 8777,13777 /* 124 ceilometer */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports irdmi,13800,mcreport,13003,8004,13004 /* 125 heat */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports http,https /* 126 horizon */ state NEW ACCEPT udp -- anywhere anywhere multiport dports snmp /* 127 snmp */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports fs-agent,13042 /* 128 aodh */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 8041,13041 /* 129 gnocchi-api */ state NEW ACCEPT udp -- anywhere anywhere multiport dports tftp /* 130 tftp */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports rfb:cvsup /* 131 novnc */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports sunwebadmins,13989 /* 132 mistral */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports ddi-tcp-1,13888 /* 133 zaqar */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports cslistener /* 134 zaqar websockets */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 6385,13385 /* 135 ironic */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports 8779,13779 /* 136 trove */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports mmcc /* 137 ironic-inspector */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports msgsrvr /* 138 docker registry */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports radan-http /* 139 apache vhost */ state NEW ACCEPT tcp -- anywhere anywhere multiport dports hbci /* 142 tripleo-ui */ state NEW LOG all -- anywhere anywhere /* 998 log all */ state NEW LOG level warning DROP all -- anywhere anywhere /* 999 drop all */ state NEW Chain FORWARD (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-openvswi-FORWARD all -- anywhere anywhere DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere 192.0.2.0/24 /* 140 destination network cidr nat */ state NEW ACCEPT all -- 192.0.2.0/24 anywhere /* 140 source network cidr nat */ state NEW ACCEPT tcp -- anywhere 192.168.122.0/24 /* 141 libvirt network nat */ state NEW Chain OUTPUT (policy ACCEPT) target prot opt source destination neutron-filter-top all -- anywhere anywhere neutron-openvswi-OUTPUT all -- anywhere anywhere ACCEPT udp -- anywhere anywhere multiport dports bootpc /* 116 neutron dhcp output */ state NEW Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination RETURN all -- anywhere anywhere Chain ironic-inspector (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain neutron-filter-top (2 references) target prot opt source destination neutron-openvswi-local all -- anywhere anywhere Chain neutron-openvswi-FORWARD (1 references) target prot opt source destination Chain neutron-openvswi-INPUT (1 references) target prot opt source destination Chain neutron-openvswi-OUTPUT (1 references) target prot opt source destination Chain neutron-openvswi-local (1 references) target prot opt source destination Chain neutron-openvswi-sg-chain (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain neutron-openvswi-sg-fallback (0 references) target prot opt source destination DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */ Created attachment 1425979 [details]
sosreport on 10
This is due to the fact that the dhcp filtering used for the inspector dnsmasq changed from iptables-based to dnsmasq-based in OSP-13. This rule still remains on upgrade however and is what is causing the problem: Chain ironic-inspector (1 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable This is being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1570386, I will close as duplicate. *** This bug has been marked as a duplicate of bug 1570386 *** I applied the suggested changes and i can introspect now |