Bug 999695 - packstack doesn't open DHCP ports on host
packstack doesn't open DHCP ports on host
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-packstack (Show other bugs)
3.0
Unspecified Unspecified
high Severity high
: z4
: 4.0
Assigned To: Ivan Chavero
Nir Magnezi
: TestOnly, Unconfirmed, ZStream
Depends On:
Blocks: 1070460
  Show dependency treegraph
 
Reported: 2013-08-21 17:29 EDT by Ofer Blaut
Modified: 2016-04-26 10:40 EDT (History)
9 users (show)

See Also:
Fixed In Version: openstack-packstack-2013.2.1-0.29.dev1009.el6ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-05-29 15:56:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
iptables rules and openstack status (8.35 KB, text/plain)
2013-08-21 17:29 EDT, Ofer Blaut
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 65858 None None None Never
OpenStack gerrit 77684 None None None Never
OpenStack gerrit 81992 None None None Never
Red Hat Product Errata RHBA-2014:0577 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform 4 Bug Fix and Enhancement Advisory 2014-05-29 19:55:40 EDT

  None (edit)
Description Ofer Blaut 2013-08-21 17:29:46 EDT
Created attachment 789000 [details]
iptables rules and openstack status

Description of problem:

I have installed latest 20.8 puddle with linuxbridge ( we didn't test it in grizzly since OVS had higher priority)

I'm using distributed quantum , currently DHCP discover requests are been dropped by iptables.( when iptables is off it works )


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.install distributed setup with packstack ( no name space )
2.config basic network and run a VM , it will not get ip address
3.stop iptables on the host with DHCP and service network restart in the VM


Actual results:


Expected results:


Additional info:
Comment 1 Ofer Blaut 2013-08-21 17:32:14 EDT
Build info 
openstack-packstack-2013.1.1-0.30.dev672.el6ost.noarch
openstack-quantum-2013.1.3-1.el6ost.noarch
Comment 2 Ofer Blaut 2013-08-22 03:14:02 EDT
1. This happens when namespace is not USED.
2. In order to operate L3 router , user need to configure router-id and restart l3 agent ( bz# 918057 )
So updated iptables will be

[root@puma05 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
quantum-l3-agent-INPUT  all  --  anywhere             anywhere            
quantum-linuxbri-INPUT  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
quantum-filter-top  all  --  anywhere             anywhere            
quantum-l3-agent-FORWARD  all  --  anywhere             anywhere            
quantum-linuxbri-FORWARD  all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
quantum-filter-top  all  --  anywhere             anywhere            
quantum-l3-agent-OUTPUT  all  --  anywhere             anywhere            
quantum-linuxbri-OUTPUT  all  --  anywhere             anywhere            

Chain quantum-filter-top (2 references)
target     prot opt source               destination         
quantum-l3-agent-local  all  --  anywhere             anywhere            
quantum-linuxbri-local  all  --  anywhere             anywhere            

Chain quantum-l3-agent-FORWARD (1 references)
target     prot opt source               destination         

Chain quantum-l3-agent-INPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             localhost           tcp dpt:9697 

Chain quantum-l3-agent-OUTPUT (1 references)
target     prot opt source               destination         

Chain quantum-l3-agent-local (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-FORWARD (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-INPUT (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-local (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-sg-chain (0 references)
target     prot opt source               destination         

Chain quantum-linuxbri-sg-fallback (0 references)
target     prot opt source               destination
Comment 3 Ofer Blaut 2013-08-22 07:57:15 EDT
Issue does happen when using same configuration on linuxbridge with namespace enabled , attached iptables of host and namespace table 




[root@puma05 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
quantum-linuxbri-INPUT  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
quantum-filter-top  all  --  anywhere             anywhere            
quantum-linuxbri-FORWARD  all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
quantum-filter-top  all  --  anywhere             anywhere            
quantum-linuxbri-OUTPUT  all  --  anywhere             anywhere            

Chain quantum-filter-top (2 references)
target     prot opt source               destination         
quantum-linuxbri-local  all  --  anywhere             anywhere            

Chain quantum-linuxbri-FORWARD (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-INPUT (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-OUTPUT (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-local (1 references)
target     prot opt source               destination         

Chain quantum-linuxbri-sg-chain (0 references)
target     prot opt source               destination         

Chain quantum-linuxbri-sg-fallback (0 references)
target     prot opt source               destination         

[root@puma05 ~]# 
[root@puma05 ~]# ip netns list
qrouter-aa2e4abd-7452-4744-97d1-9b673d4e37b2
qdhcp-d76448e1-0a5e-4556-b1c5-a2609278e35a
qdhcp-73231975-9759-4fd7-a84c-09ad2fdbbfeb
[root@puma05 ~]# ip netns exec qdhcp-d76448e1-0a5e-4556-b1c5-a2609278e35a iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Comment 4 Alvaro Lopez Ortega 2013-11-15 06:57:26 EST
Martin to reach out to Terry on this today.
Comment 5 Alvaro Lopez Ortega 2013-12-03 12:33:28 EST
Ian, could you please add the add the missing firewall entries?
Comment 7 Ian Wienand 2013-12-05 17:51:32 EST
Ofer -- it's been some time since this bug was filed so can you please confirm the issue remains?  I attempted to replicate but I'm not seeing vm's that don't get addresses.  I certainly may have chosen incorrect options, etc, so can you please detail more specifically the commands you ran to setup.

Thanks
Comment 9 Ian Wienand 2014-01-13 20:25:07 EST
this was addressed in [1]

[1] https://review.openstack.org/#/c/65858/
Comment 21 Ivan Chavero 2014-03-17 17:09:56 EDT
patch merged, waiting for package to be created
Comment 22 Alvaro Lopez Ortega 2014-03-24 05:47:43 EDT
Reverting status change. It hasn't actually made it to a build yet.
Comment 23 Ivan Chavero 2014-03-25 15:28:37 EDT
Backport to havana on review
Comment 24 Ivan Chavero 2014-04-04 14:27:16 EDT
patch merged and packaged in: openstack-packstack-2013.2.1-0.35.dev1009.el6
Comment 28 errata-xmlrpc 2014-05-29 15:56:51 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0577.html

Note You need to log in before you can comment on or make changes to this bug.