Re: [Openstack] DHCP Request Failed on Ocata

Sat, 01 Apr 2017 02:12:08 -0700
For anyone out there facing similar issues my problem was due to the following line in /etc/sysconfig/iptables 

-A FORWARD -j REJECT --reject-with icmp-host-prohibited


As soon all forward rules were permitted my problem has been solved.


Best regards,

G.



I have installed on Ubuntu, so I don't files as 
/etc/sysconfig/iptables.


Apart from the listed below DROP/REJECT rules there are no more of
such rules.

Regards,
Manjunath

-----Original Message-----
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr]
Sent: Monday, 20 March, 2017 6:32 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata

 Hello and thanks for providing the detailed iptables output.

 I don't believe that having initially "firewalld" enabled had any
impact because (to my understanding)  all rules are added when the
services are restarted.

 So by rebooting the nodes everything should be OK which isn't.

 Can you tell me if in your "/etc/sysconfig/iptables" you have any
other  rules that DROP or REJECT packages?


 Best,

 G.


 On Mon, 20 Mar 2017 03:08:09 +0000, Warad, Manjunath (Nokia - SG)
 wrote:

Here are my filter tables...
I did a default installation of 1 controller and 1 compute following
openstack install docs.

I read through that the firewalld was not stopped during
installation. I'm not sure if that could have cause some invalid
insertions/deletions into iptables.
Probably, you may want to consider re-installing controller and
compute nodes with firewalld disabled in the beginning unless you
have enough time to troubleshoot the problem.

Controller Filter Table:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-linuxbri-INPUT  all  --  anywhere             anywhere
nova-api-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere
nova-filter-top  all  --  anywhere             anywhere
nova-api-FORWARD  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere
nova-filter-top  all  --  anywhere             anywhere
nova-api-OUTPUT  all  --  anywhere             anywhere

Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-linuxbri-local  all  --  anywhere             anywhere

Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-sg-chain (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain neutron-linuxbri-sg-fallback (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /*
Default drop rule for unmatched traffic. */

Chain nova-api-FORWARD (1 references)
target     prot opt source               destination

Chain nova-api-INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             controller           tcp
dpt:8775

Chain nova-api-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-api-local (1 references)
target     prot opt source               destination

Chain nova-filter-top (2 references)
target     prot opt source               destination
nova-api-local  all  --  anywhere             anywhere

Compute Filter Table:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
neutron-linuxbri-INPUT  all  --  anywhere             anywhere
nova-compute-INPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp
dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp
dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-FORWARD  all  --  anywhere             anywhere
nova-filter-top  all  --  anywhere             anywhere
nova-compute-FORWARD  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             192.168.122.0/24     
ctstate

RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere
reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere
reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
neutron-filter-top  all  --  anywhere             anywhere
neutron-linuxbri-OUTPUT  all  --  anywhere             anywhere
nova-filter-top  all  --  anywhere             anywhere
nova-compute-OUTPUT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:bootpc

Chain neutron-filter-top (2 references)
target     prot opt source               destination
neutron-linuxbri-local  all  --  anywhere             anywhere

Chain neutron-linuxbri-FORWARD (1 references)
target     prot opt source               destination
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere
       PHYSDEV match --physdev-out tap220f832a-a0
--physdev-is-bridged /* Direct traffic from the VM interface to the
security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere

       PHYSDEV match --physdev-in tap220f832a-a0 
--physdev-is-bridged

/* Direct traffic from the VM interface to the security group chain.
*/
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere
       PHYSDEV match --physdev-out tapc2ae9c01-6b
--physdev-is-bridged /* Direct traffic from the VM interface to the
security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere

       PHYSDEV match --physdev-in tapc2ae9c01-6b 
--physdev-is-bridged

/* Direct traffic from the VM interface to the security group chain.
*/
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere
       PHYSDEV match --physdev-out tapd0191424-88
--physdev-is-bridged /* Direct traffic from the VM interface to the
security group chain. */
neutron-linuxbri-sg-chain  all  --  anywhere             anywhere

       PHYSDEV match --physdev-in tapd0191424-88 
--physdev-is-bridged

/* Direct traffic from the VM interface to the security group chain.
*/

Chain neutron-linuxbri-INPUT (1 references)
target     prot opt source               destination
neutron-linuxbri-o220f832a-a  all  --  anywhere             anywhere
          PHYSDEV match --physdev-in tap220f832a-a0
--physdev-is-bridged /* Direct incoming traffic from VM to the
security group chain. */
neutron-linuxbri-oc2ae9c01-6  all  --  anywhere             anywhere
          PHYSDEV match --physdev-in tapc2ae9c01-6b
--physdev-is-bridged /* Direct incoming traffic from VM to the
security group chain. */
neutron-linuxbri-od0191424-8  all  --  anywhere             anywhere
          PHYSDEV match --physdev-in tapd0191424-88
--physdev-is-bridged /* Direct incoming traffic from VM to the
security group chain. */

Chain neutron-linuxbri-OUTPUT (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-i220f832a-a (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             state

RELATED,ESTABLISHED /* Direct packets associated with a known 
session

to the RETURN chain. */

RETURN     udp  --  XXX <internal interface> anywhere             
udp

spt:bootps udp dpt:bootpc
RETURN     all  --  anywhere             anywhere
match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN     icmp --  anywhere             anywhere
RETURN     tcp  --  anywhere             anywhere             tcp
dpt:ssh
DROP       all  --  anywhere             anywhere             state

INVALID /* Drop packets that appear related to an existing 
connection

(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere
          /* Send unmatched traffic to the fallback chain. */

Chain neutron-linuxbri-ic2ae9c01-6 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             state

RELATED,ESTABLISHED /* Direct packets associated with a known 
session

to the RETURN chain. */

RETURN     udp  --  XXX <internal interface> anywhere             
udp

spt:bootps udp dpt:bootpc
RETURN     all  --  anywhere             anywhere
match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN     icmp --  anywhere             anywhere
RETURN     tcp  --  anywhere             anywhere             tcp
dpt:ssh
DROP       all  --  anywhere             anywhere             state

INVALID /* Drop packets that appear related to an existing 
connection

(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere
          /* Send unmatched traffic to the fallback chain. */

Chain neutron-linuxbri-id0191424-8 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             state

RELATED,ESTABLISHED /* Direct packets associated with a known 
session

to the RETURN chain. */
RETURN     udp  --  XXX <ip_address>      anywhere             udp
spt:bootps udp dpt:bootpc
RETURN     all  --  anywhere             anywhere
match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN     icmp --  anywhere             anywhere
RETURN     tcp  --  anywhere             anywhere             tcp
dpt:ssh
DROP       all  --  anywhere             anywhere             state

INVALID /* Drop packets that appear related to an existing 
connection

(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere
          /* Send unmatched traffic to the fallback chain. */

Chain neutron-linuxbri-local (1 references)
target     prot opt source               destination

Chain neutron-linuxbri-o220f832a-a (2 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0              255.255.255.255      udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-s220f832a-a  all  --  anywhere             anywhere

RETURN     udp  --  anywhere             anywhere             udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP       udp  --  anywhere             anywhere             udp
spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state

RELATED,ESTABLISHED /* Direct packets associated with a known 
session

to the RETURN chain. */
RETURN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state

INVALID /* Drop packets that appear related to an existing 
connection

(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere
          /* Send unmatched traffic to the fallback chain. */

Chain neutron-linuxbri-oc2ae9c01-6 (2 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0              255.255.255.255      udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-sc2ae9c01-6  all  --  anywhere             anywhere

RETURN     udp  --  anywhere             anywhere             udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP       udp  --  anywhere             anywhere             udp
spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state

RELATED,ESTABLISHED /* Direct packets associated with a known 
session

to the RETURN chain. */
RETURN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state

INVALID /* Drop packets that appear related to an existing 
connection

(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere
          /* Send unmatched traffic to the fallback chain. */

Chain neutron-linuxbri-od0191424-8 (2 references)
target     prot opt source               destination
RETURN     udp  --  0.0.0.0              255.255.255.255      udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-sd0191424-8  all  --  anywhere             anywhere

RETURN     udp  --  anywhere             anywhere             udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP       udp  --  anywhere             anywhere             udp
spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN     all  --  anywhere             anywhere             state

RELATED,ESTABLISHED /* Direct packets associated with a known 
session

to the RETURN chain. */
RETURN     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state

INVALID /* Drop packets that appear related to an existing 
connection

(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback  all  --  anywhere             anywhere
          /* Send unmatched traffic to the fallback chain. */

Chain neutron-linuxbri-s220f832a-a (1 references)
target     prot opt source               destination
RETURN     all  --  XXX <ip address>          anywhere
MAC XX:XX:XX:FF:36:AA /* Allow traffic from defined IP/MAC pairs. */

DROP       all  --  anywhere             anywhere             /* 
Drop

traffic without an IP/MAC allow rule. */

Chain neutron-linuxbri-sc2ae9c01-6 (1 references)
target     prot opt source               destination
RETURN     all  --  XXX <ip address>           anywhere
MAC XX:XX:XX:88:CA:0C /* Allow traffic from defined IP/MAC pairs. */

DROP       all  --  anywhere             anywhere             /* 
Drop

traffic without an IP/MAC allow rule. */

Chain neutron-linuxbri-sd0191424-8 (1 references)
target     prot opt source               destination
RETURN     all  --  XXX <ip address>      anywhere             MAC
XX:XX:XX:2A:55:AA /* Allow traffic from defined IP/MAC pairs. */

DROP       all  --  anywhere             anywhere             /* 
Drop

traffic without an IP/MAC allow rule. */

Chain neutron-linuxbri-sg-chain (6 references)
target     prot opt source               destination
neutron-linuxbri-i220f832a-a  all  --  anywhere             anywhere
          PHYSDEV match --physdev-out tap220f832a-a0
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-o220f832a-a  all  --  anywhere             anywhere
          PHYSDEV match --physdev-in tap220f832a-a0
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-ic2ae9c01-6  all  --  anywhere             anywhere
          PHYSDEV match --physdev-out tapc2ae9c01-6b
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oc2ae9c01-6  all  --  anywhere             anywhere
          PHYSDEV match --physdev-in tapc2ae9c01-6b
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-id0191424-8  all  --  anywhere             anywhere
          PHYSDEV match --physdev-out tapd0191424-88
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-od0191424-8  all  --  anywhere             anywhere
          PHYSDEV match --physdev-in tapd0191424-88
--physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT     all  --  anywhere             anywhere

Chain neutron-linuxbri-sg-fallback (6 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             /*
Default drop rule for unmatched traffic. */

Chain nova-compute-FORWARD (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain nova-compute-INPUT (1 references)
target     prot opt source               destination

Chain nova-compute-OUTPUT (1 references)
target     prot opt source               destination

Chain nova-compute-local (1 references)
target     prot opt source               destination

Chain nova-filter-top (2 references)
target     prot opt source               destination
nova-compute-local  all  --  anywhere             anywhere

Regards,
Manjunath


-----Original Message-----
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr]
Sent: Sunday, 19 March, 2017 11:35 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata

 Any ideas on this?

 Here are my firewall rules on Controller Node:

 #ALLOW ALL Compute Node
 -A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT  -A OUTPUT -d

$COMPUTE_NODE_IP/32 -p udp -j ACCEPT  -A INPUT -s 
$COMPUTE_NODE_IP/32

-p tcp -j ACCEPT  -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT  -A OUTPUT -d
$PUBLIC_SUBNET/29 -p udp -j ACCEPT  -A INPUT -s $PUBLIC_SUBNET/29 -p
tcp -j ACCEPT  -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT

 After these more rule are following for SSH (port 22) , HTTP (port
80)  etc.


 Repsectively on Compute Node I have


 #ALLOW ALL Controller Node
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT


 After these more rule are following for SSH (port 22) , HTTP (port
80)
 etc.

 where on all the above:
 The $COMPUTE_NODE_IP is the static IP address of the compute node
 The $CONTROLLER_NODE_IP is the static IP address of the controller
node
 The $PUBLIC_SUBNET is the subnet for the public IP addresses as
defined
 by my provider


 The above rules are on the top of my IPTABLES files immediately
after:

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT

 while at the very end (after all the rules) I have:

 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT


 Using the above rules I believe that I have an open communication
 between the Controller, the Compute Node and the VMs.

 Obviously I am missing something...but what???

 Can someone help me or share with me its firewall rules between a
 controller and a compute node??

 Keeping the firewall disabled solves the problem and all VMs are
 getting IP addresses without a problem, but this is not desired.


 I really appreciate any help provided since I am puzzled for quiet 
a

 few days now with this....


 Regards,


 G.




I have also disabled completely the "firewalld" service and 
reverted

back to "iptables" service but without success.

No matter what I do my instances cannot get a DHCP address unless
the
firewall is "stopped".

I 've tried to add the UDP ports 67-68 on the firewall but without
success as well.

What else should I do in order to be able to have "iptables" 
enabled

for basic firewall functionality and at the same time my OpenStack
environment to work without a problem?

Any ideas???

Regards,

G.

On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:

It causes problems for us so we uninstall and disable it on all
compute nodes.

yum -y remove firewalld

Sent from my iPhone


On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis
<gior...@acmac.uoc.gr> wrote:

My problem may be due to the "firewalld" service running....


Has anyone configured OpenStack on CentOS with Firewalld or do 
you

suggest to disable it?

Best,

G.


On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
Hello!

I am trying to setup a new Ocata installation following the
official
guide but my instances fail to get a DHCP address.


I am using two physical nodes (1x controller and 1x compute) 
each

one
with two network interfaces.
Compute node can reach the Controller node via the first
interface
and vice versa.
As recommended by the manual the second interface is unnumbered.


When I launch an instance I can see using "tcpdump" that the 
DHCP

request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either
on
compute or controller node.

Therefore I am wondering how should the instance get an IP
address?
What is the correct path that is followed?

I have tried that using both provider and self-service networks
and
the result is always the same.


Looking forward for any directions, recommendations etc.


All the best,

G.

_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


--
 Dr. Dimitrakakis Georgios

 Networks and Systems Administrator

 Archimedes Center for Modeling, Analysis & Computation (ACMAC)
 School of Sciences and Engineering
 University of Crete
 P.O. Box 2208
 710 - 03 Heraklion
 Crete, Greece

 Tel: +30 2810 393717
 Fax: +30 2810 393660

 E-mail: gior...@acmac.uoc.gr

_______________________________________________

Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to     : openstack@lists.openstack.org

Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






















					Reply via email to