Hide Forgot
Created attachment 789000 [details] iptables rules and openstack status Description of problem: I have installed latest 20.8 puddle with linuxbridge ( we didn't test it in grizzly since OVS had higher priority) I'm using distributed quantum , currently DHCP discover requests are been dropped by iptables.( when iptables is off it works ) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.install distributed setup with packstack ( no name space ) 2.config basic network and run a VM , it will not get ip address 3.stop iptables on the host with DHCP and service network restart in the VM Actual results: Expected results: Additional info:
Build info openstack-packstack-2013.1.1-0.30.dev672.el6ost.noarch openstack-quantum-2013.1.3-1.el6ost.noarch
1. This happens when namespace is not USED. 2. In order to operate L3 router , user need to configure router-id and restart l3 agent ( bz# 918057 ) So updated iptables will be [root@puma05 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination quantum-l3-agent-INPUT all -- anywhere anywhere quantum-linuxbri-INPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-l3-agent-FORWARD all -- anywhere anywhere quantum-linuxbri-FORWARD all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-l3-agent-OUTPUT all -- anywhere anywhere quantum-linuxbri-OUTPUT all -- anywhere anywhere Chain quantum-filter-top (2 references) target prot opt source destination quantum-l3-agent-local all -- anywhere anywhere quantum-linuxbri-local all -- anywhere anywhere Chain quantum-l3-agent-FORWARD (1 references) target prot opt source destination Chain quantum-l3-agent-INPUT (1 references) target prot opt source destination ACCEPT tcp -- anywhere localhost tcp dpt:9697 Chain quantum-l3-agent-OUTPUT (1 references) target prot opt source destination Chain quantum-l3-agent-local (1 references) target prot opt source destination Chain quantum-linuxbri-FORWARD (1 references) target prot opt source destination Chain quantum-linuxbri-INPUT (1 references) target prot opt source destination Chain quantum-linuxbri-OUTPUT (1 references) target prot opt source destination Chain quantum-linuxbri-local (1 references) target prot opt source destination Chain quantum-linuxbri-sg-chain (0 references) target prot opt source destination Chain quantum-linuxbri-sg-fallback (0 references) target prot opt source destination
Issue does happen when using same configuration on linuxbridge with namespace enabled , attached iptables of host and namespace table [root@puma05 ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination quantum-linuxbri-INPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-linuxbri-FORWARD all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination quantum-filter-top all -- anywhere anywhere quantum-linuxbri-OUTPUT all -- anywhere anywhere Chain quantum-filter-top (2 references) target prot opt source destination quantum-linuxbri-local all -- anywhere anywhere Chain quantum-linuxbri-FORWARD (1 references) target prot opt source destination Chain quantum-linuxbri-INPUT (1 references) target prot opt source destination Chain quantum-linuxbri-OUTPUT (1 references) target prot opt source destination Chain quantum-linuxbri-local (1 references) target prot opt source destination Chain quantum-linuxbri-sg-chain (0 references) target prot opt source destination Chain quantum-linuxbri-sg-fallback (0 references) target prot opt source destination [root@puma05 ~]# [root@puma05 ~]# ip netns list qrouter-aa2e4abd-7452-4744-97d1-9b673d4e37b2 qdhcp-d76448e1-0a5e-4556-b1c5-a2609278e35a qdhcp-73231975-9759-4fd7-a84c-09ad2fdbbfeb [root@puma05 ~]# ip netns exec qdhcp-d76448e1-0a5e-4556-b1c5-a2609278e35a iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Martin to reach out to Terry on this today.
Ian, could you please add the add the missing firewall entries?
Ofer -- it's been some time since this bug was filed so can you please confirm the issue remains? I attempted to replicate but I'm not seeing vm's that don't get addresses. I certainly may have chosen incorrect options, etc, so can you please detail more specifically the commands you ran to setup. Thanks
this was addressed in [1] [1] https://review.openstack.org/#/c/65858/
patch merged, waiting for package to be created
Reverting status change. It hasn't actually made it to a build yet.
Backport to havana on review
patch merged and packaged in: openstack-packstack-2013.2.1-0.35.dev1009.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0577.html