Here are my filter tables...
I did a default installation of 1 controller and 1 compute following
openstack install docs.
I read through that the firewalld was not stopped during
installation. I'm not sure if that could have cause some invalid
insertions/deletions into iptables.
Probably, you may want to consider re-installing controller and
compute nodes with firewalld disabled in the beginning unless you
have enough time to troubleshoot the problem.
Controller Filter Table:
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere
Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination
Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination
Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination
Chain neutron-linuxbri-local (1 references)
target prot opt source destination
Chain neutron-linuxbri-sg-chain (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain neutron-linuxbri-sg-fallback (0 references)
target prot opt source destination
DROP all -- anywhere anywhere /*
Default drop rule for unmatched traffic. */
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere controller tcp
dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-api-local all -- anywhere anywhere
Compute Filter Table:
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere
nova-compute-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-compute-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24
ctstate
RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere
Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination
neutron-linuxbri-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-out tap220f832a-a0
--physdev-is-bridged /* Direct traffic from the VM interface to the
security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-in tap220f832a-a0
--physdev-is-bridged
/* Direct traffic from the VM interface to the security group chain.
*/
neutron-linuxbri-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-out tapc2ae9c01-6b
--physdev-is-bridged /* Direct traffic from the VM interface to the
security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-in tapc2ae9c01-6b
--physdev-is-bridged
/* Direct traffic from the VM interface to the security group chain.
*/
neutron-linuxbri-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-out tapd0191424-88
--physdev-is-bridged /* Direct traffic from the VM interface to the
security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere
PHYSDEV match --physdev-in tapd0191424-88
--physdev-is-bridged
/* Direct traffic from the VM interface to the security group chain.
*/
Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination
neutron-linuxbri-o220f832a-a all -- anywhere anywhere
PHYSDEV match --physdev-in tap220f832a-a0
--physdev-is-bridged /* Direct incoming traffic from VM to the
security group chain. */
neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere
PHYSDEV match --physdev-in tapc2ae9c01-6b
--physdev-is-bridged /* Direct incoming traffic from VM to the
security group chain. */
neutron-linuxbri-od0191424-8 all -- anywhere anywhere
PHYSDEV match --physdev-in tapd0191424-88
--physdev-is-bridged /* Direct incoming traffic from VM to the
security group chain. */
Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination
Chain neutron-linuxbri-i220f832a-a (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED /* Direct packets associated with a known
session
to the RETURN chain. */
RETURN udp -- XXX <internal interface> anywhere
udp
spt:bootps udp dpt:bootpc
RETURN all -- anywhere anywhere
match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp
dpt:ssh
DROP all -- anywhere anywhere state
INVALID /* Drop packets that appear related to an existing
connection
(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere
/* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-ic2ae9c01-6 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED /* Direct packets associated with a known
session
to the RETURN chain. */
RETURN udp -- XXX <internal interface> anywhere
udp
spt:bootps udp dpt:bootpc
RETURN all -- anywhere anywhere
match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp
dpt:ssh
DROP all -- anywhere anywhere state
INVALID /* Drop packets that appear related to an existing
connection
(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere
/* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-id0191424-8 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED /* Direct packets associated with a known
session
to the RETURN chain. */
RETURN udp -- XXX <ip_address> anywhere udp
spt:bootps udp dpt:bootpc
RETURN all -- anywhere anywhere
match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp
dpt:ssh
DROP all -- anywhere anywhere state
INVALID /* Drop packets that appear related to an existing
connection
(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere
/* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-local (1 references)
target prot opt source destination
Chain neutron-linuxbri-o220f832a-a (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-s220f832a-a all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp
spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED /* Direct packets associated with a known
session
to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state
INVALID /* Drop packets that appear related to an existing
connection
(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere
/* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-oc2ae9c01-6 (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-sc2ae9c01-6 all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp
spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED /* Direct packets associated with a known
session
to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state
INVALID /* Drop packets that appear related to an existing
connection
(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere
/* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-od0191424-8 (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-sd0191424-8 all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp
spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp
spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state
RELATED,ESTABLISHED /* Direct packets associated with a known
session
to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state
INVALID /* Drop packets that appear related to an existing
connection
(e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere
/* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-s220f832a-a (1 references)
target prot opt source destination
RETURN all -- XXX <ip address> anywhere
MAC XX:XX:XX:FF:36:AA /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /*
Drop
traffic without an IP/MAC allow rule. */
Chain neutron-linuxbri-sc2ae9c01-6 (1 references)
target prot opt source destination
RETURN all -- XXX <ip address> anywhere
MAC XX:XX:XX:88:CA:0C /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /*
Drop
traffic without an IP/MAC allow rule. */
Chain neutron-linuxbri-sd0191424-8 (1 references)
target prot opt source destination
RETURN all -- XXX <ip address> anywhere MAC
XX:XX:XX:2A:55:AA /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /*
Drop
traffic without an IP/MAC allow rule. */
Chain neutron-linuxbri-sg-chain (6 references)
target prot opt source destination
neutron-linuxbri-i220f832a-a all -- anywhere anywhere
PHYSDEV match --physdev-out tap220f832a-a0
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-o220f832a-a all -- anywhere anywhere
PHYSDEV match --physdev-in tap220f832a-a0
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-ic2ae9c01-6 all -- anywhere anywhere
PHYSDEV match --physdev-out tapc2ae9c01-6b
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere
PHYSDEV match --physdev-in tapc2ae9c01-6b
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-id0191424-8 all -- anywhere anywhere
PHYSDEV match --physdev-out tapd0191424-88
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-od0191424-8 all -- anywhere anywhere
PHYSDEV match --physdev-in tapd0191424-88
--physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT all -- anywhere anywhere
Chain neutron-linuxbri-sg-fallback (6 references)
target prot opt source destination
DROP all -- anywhere anywhere /*
Default drop rule for unmatched traffic. */
Chain nova-compute-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain nova-compute-INPUT (1 references)
target prot opt source destination
Chain nova-compute-OUTPUT (1 references)
target prot opt source destination
Chain nova-compute-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-compute-local all -- anywhere anywhere
Regards,
Manjunath
-----Original Message-----
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr]
Sent: Sunday, 19 March, 2017 11:35 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata
Any ideas on this?
Here are my firewall rules on Controller Node:
#ALLOW ALL Compute Node
-A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A OUTPUT -d
$COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A INPUT -s
$COMPUTE_NODE_IP/32
-p tcp -j ACCEPT -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT
#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A OUTPUT -d
$PUBLIC_SUBNET/29 -p udp -j ACCEPT -A INPUT -s $PUBLIC_SUBNET/29 -p
tcp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
After these more rule are following for SSH (port 22) , HTTP (port
80) etc.
Repsectively on Compute Node I have
#ALLOW ALL Controller Node
-A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
After these more rule are following for SSH (port 22) , HTTP (port
80)
etc.
where on all the above:
The $COMPUTE_NODE_IP is the static IP address of the compute node
The $CONTROLLER_NODE_IP is the static IP address of the controller
node
The $PUBLIC_SUBNET is the subnet for the public IP addresses as
defined
by my provider
The above rules are on the top of my IPTABLES files immediately
after:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
while at the very end (after all the rules) I have:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Using the above rules I believe that I have an open communication
between the Controller, the Compute Node and the VMs.
Obviously I am missing something...but what???
Can someone help me or share with me its firewall rules between a
controller and a compute node??
Keeping the firewall disabled solves the problem and all VMs are
getting IP addresses without a problem, but this is not desired.
I really appreciate any help provided since I am puzzled for quiet
a
few days now with this....
Regards,
G.
I have also disabled completely the "firewalld" service and
reverted
back to "iptables" service but without success.
No matter what I do my instances cannot get a DHCP address unless
the
firewall is "stopped".
I 've tried to add the UDP ports 67-68 on the firewall but without
success as well.
What else should I do in order to be able to have "iptables"
enabled
for basic firewall functionality and at the same time my OpenStack
environment to work without a problem?
Any ideas???
Regards,
G.
On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:
It causes problems for us so we uninstall and disable it on all
compute nodes.
yum -y remove firewalld
Sent from my iPhone
On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis
<gior...@acmac.uoc.gr> wrote:
My problem may be due to the "firewalld" service running....
Has anyone configured OpenStack on CentOS with Firewalld or do
you
suggest to disable it?
Best,
G.
On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
Hello!
I am trying to setup a new Ocata installation following the
official
guide but my instances fail to get a DHCP address.
I am using two physical nodes (1x controller and 1x compute)
each
one
with two network interfaces.
Compute node can reach the Controller node via the first
interface
and vice versa.
As recommended by the manual the second interface is unnumbered.
When I launch an instance I can see using "tcpdump" that the
DHCP
request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either
on
compute or controller node.
Therefore I am wondering how should the instance get an IP
address?
What is the correct path that is followed?
I have tried that using both provider and self-service networks
and
the result is always the same.
Looking forward for any directions, recommendations etc.
All the best,
G.
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack