Bug 986371 - TFTP blocked by firewall causing timeout during pxe provisioning process
TFTP blocked by firewall causing timeout during pxe provisioning process
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Installation_and_Configuration_Guide (Show other bugs)
3.0
x86_64 Linux
high Severity medium
: z2
: 4.0
Assigned To: Scott Radvan
ecs-bugs
: Documentation, Triaged, ZStream
Depends On:
Blocks: 1010310
  Show dependency treegraph
 
Reported: 2013-07-19 11:16 EDT by Chris Lunsford
Modified: 2015-04-06 23:21 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Build: CSProcessor Builder Version 1.11 Build Name: 19219, Deployment Guide (Foreman Technical Preview)-null-1 Build Date: 11-07-2013 11:55:35 Topic ID: 20080-472633 [Latest]
Last Closed: 2014-03-03 19:27:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Lunsford 2013-07-19 11:16:49 EDT
Title: Configuring the Firewall

Describe the issue:
Firewall rule to allow tftp (UDP 69) is missing, preventing hosts from pxe booting during the provisioning process.

Suggestions for improvement:
Add an additional line to allow udp 69 to the list of firewall rules

Additional information:

After following the guide, the host was timing out during the PXE process.

On the foreman host, I manually ran:
iptables -I INPUT -p udp --dport 69 -j ACCEPT
service iptables save
service iptables restart

which added this line to /etc/sysconfig/iptables
-A INPUT -p udp -m udp --dport 69 -j ACCEPT

After doing this, the host retrieved the appropriate pxelinux file.
Comment 2 Chris Lunsford 2013-07-26 11:12:17 EDT
I've hit a similar issue with DNS being blocked by firewall, which causes a failure during the kickstart configuration (host cannot resolve foreman's hostname to pull install.img).  I opened UDP 53 to resolve this using: 

iptables -I INPUT -p udp --dport 53 -j ACCEPT

I can open a separate bug for this, if preferred.
Comment 3 Stephen Gordon 2013-07-26 11:40:44 EDT
(In reply to Chris Lunsford from comment #2)
> I've hit a similar issue with DNS being blocked by firewall, which causes a
> failure during the kickstart configuration (host cannot resolve foreman's
> hostname to pull install.img).  I opened UDP 53 to resolve this using: 
> 
> iptables -I INPUT -p udp --dport 53 -j ACCEPT
> 
> I can open a separate bug for this, if preferred.

I am happy to kill both under this bug, effectively what is required under this bug is a new/updated procedure for ensuring the Firewall configuration on the Foreman server is correct.
Comment 4 Summer Long 2014-01-05 23:59:21 EST
Foreman info is now contained in the Installation guide; moving there. Steve moved this to modified, so assume that this made it into the ICG's foreman section. Needs a check.
Comment 5 Summer Long 2014-01-20 18:06:35 EST
This bug is being assigned to Scott Radvan, who is now the designated docs specialist for Foreman.

Note You need to log in before you can comment on or make changes to this bug.