Re: [Openstack] DHCP Request Failed on Ocata

[Georgios Dimitrakakis]

For anyone out there facing similar issues my problem was due to the 
following line in /etc/sysconfig/iptables


-A FORWARD -j REJECT --reject-with icmp-host-prohibited


As soon all forward rules were permitted my problem has been solved.


Best regards,

G.


I have installed on Ubuntu, so I don't files as 
/etc/sysconfig/iptables.


Apart from the listed below DROP/REJECT rules there are no more of
such rules.

Regards,
Manjunath

-Original Message-
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr]
Sent: Monday, 20 March, 2017 6:32 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata

 Hello and thanks for providing the detailed iptables output.

 I don't believe that having initially "firewalld" enabled had any
impact because (to my understanding)  all rules are added when the
services are restarted.

 So by rebooting the nodes everything should be OK which isn't.

 Can you tell me if in your "/etc/sysconfig/iptables" you have any
other  rules that DROP or REJECT packages?


 Best,

 G.


 On Mon, 20 Mar 2017 03:08:09 +, Warad, Manjunath (Nokia - SG)
 wrote:

Here are my filter tables...
I did a default installation of 1 controller and 1 compute following
openstack install docs.

I read through that the firewalld was not stopped during
installation. I'm not sure if that could have cause some invalid
insertions/deletions into iptables.
Probably, you may want to consider re-installing controller and
compute nodes with firewalld disabled in the beginning unless you
have enough time to troubleshoot the problem.

Controller Filter Table:

Chain INPUT (policy ACCEPT)
target prot opt source   destination
neutron-linuxbri-INPUT  all  --  anywhere anywhere
nova-api-INPUT  all  --  anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source   destination
neutron-filter-top  all  --  anywhere anywhere
neutron-linuxbri-FORWARD  all  --  anywhere anywhere
nova-filter-top  all  --  anywhere anywhere
nova-api-FORWARD  all  --  anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
neutron-filter-top  all  --  anywhere anywhere
neutron-linuxbri-OUTPUT  all  --  anywhere anywhere
nova-filter-top  all  --  anywhere anywhere
nova-api-OUTPUT  all  --  anywhere anywhere

Chain neutron-filter-top (2 references)
target prot opt source   destination
neutron-linuxbri-local  all  --  anywhere anywhere

Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source   destination

Chain neutron-linuxbri-INPUT (1 references)
target prot opt source   destination

Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source   destination

Chain neutron-linuxbri-local (1 references)
target prot opt source   destination

Chain neutron-linuxbri-sg-chain (0 references)
target prot opt source   destination
ACCEPT all  --  anywhere anywhere

Chain neutron-linuxbri-sg-fallback (0 references)
target prot opt source   destination
DROP   all  --  anywhere anywhere /*
Default drop rule for unmatched traffic. */

Chain nova-api-FORWARD (1 references)
target prot opt source   destination

Chain nova-api-INPUT (1 references)
target prot opt source   destination
ACCEPT tcp  --  anywhere controller   tcp
dpt:8775

Chain nova-api-OUTPUT (1 references)
target prot opt source   destination

Chain nova-api-local (1 references)
target prot opt source   destination

Chain nova-filter-top (2 references)
target prot opt source   destination
nova-api-local  all  --  anywhere anywhere

Compute Filter Table:

Chain INPUT (policy ACCEPT)
target prot opt source   destination
neutron-linuxbri-INPUT  all  --  anywhere anywhere
nova-compute-INPUT  all  --  anywhere anywhere
ACCEPT udp  --  anywhere anywhere udp
dpt:domain
ACCEPT tcp  --  anywhere anywhere tcp
dpt:domain
ACCEPT udp  --  anywhere anywhere udp
dpt:bootps
ACCEPT tcp  --  anywhere anywhere tcp
dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source   destination
neutron-filter-top  all  --  anywhere anywhere
neutron-linuxbri-FORWARD  all  --  anywhere anywhere
nova-filter-top  all  --  anywhere anywhere
nova-compute-FORWARD  all  --  anywhere anywhere
ACCEPT all  --  anywhere 192.168.122.0/24 
ctstate

RELATED,ESTABLISHED
ACCEPT all  --  192.168.122.0/24 anywhere
ACCEPT  

Re: [Openstack] DHCP Request Failed on Ocata

[Warad, Manjunath (Nokia - SG)]

I have installed on Ubuntu, so I don't files as /etc/sysconfig/iptables.

Apart from the listed below DROP/REJECT rules there are no more of such rules.

Regards,
Manjunath

-Original Message-
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr] 
Sent: Monday, 20 March, 2017 6:32 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata

 Hello and thanks for providing the detailed iptables output.

 I don't believe that having initially "firewalld" enabled had any  impact 
because (to my understanding)  all rules are added when the services are 
restarted.

 So by rebooting the nodes everything should be OK which isn't.

 Can you tell me if in your "/etc/sysconfig/iptables" you have any other  rules 
that DROP or REJECT packages?


 Best,

 G.


 On Mon, 20 Mar 2017 03:08:09 +, Warad, Manjunath (Nokia - SG) 
 wrote:
> Here are my filter tables...
> I did a default installation of 1 controller and 1 compute following
> openstack install docs.
>
> I read through that the firewalld was not stopped during
> installation. I'm not sure if that could have cause some invalid
> insertions/deletions into iptables.
> Probably, you may want to consider re-installing controller and
> compute nodes with firewalld disabled in the beginning unless you
> have enough time to troubleshoot the problem.
>
> Controller Filter Table:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> neutron-linuxbri-INPUT  all  --  anywhere anywhere
> nova-api-INPUT  all  --  anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
> neutron-filter-top  all  --  anywhere anywhere
> neutron-linuxbri-FORWARD  all  --  anywhere anywhere
> nova-filter-top  all  --  anywhere anywhere
> nova-api-FORWARD  all  --  anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination
> neutron-filter-top  all  --  anywhere anywhere
> neutron-linuxbri-OUTPUT  all  --  anywhere anywhere
> nova-filter-top  all  --  anywhere anywhere
> nova-api-OUTPUT  all  --  anywhere anywhere
>
> Chain neutron-filter-top (2 references)
> target prot opt source   destination
> neutron-linuxbri-local  all  --  anywhere anywhere
>
> Chain neutron-linuxbri-FORWARD (1 references)
> target prot opt source   destination
>
> Chain neutron-linuxbri-INPUT (1 references)
> target prot opt source   destination
>
> Chain neutron-linuxbri-OUTPUT (1 references)
> target prot opt source   destination
>
> Chain neutron-linuxbri-local (1 references)
> target prot opt source   destination
>
> Chain neutron-linuxbri-sg-chain (0 references)
> target prot opt source   destination
> ACCEPT all  --  anywhere anywhere
>
> Chain neutron-linuxbri-sg-fallback (0 references)
> target prot opt source   destination
> DROP   all  --  anywhere anywhere /*
> Default drop rule for unmatched traffic. */
>
> Chain nova-api-FORWARD (1 references)
> target prot opt source   destination
>
> Chain nova-api-INPUT (1 references)
> target prot opt source   destination
> ACCEPT tcp  --  anywhere controller   tcp 
> dpt:8775
>
> Chain nova-api-OUTPUT (1 references)
> target prot opt source   destination
>
> Chain nova-api-local (1 references)
> target prot opt source   destination
>
> Chain nova-filter-top (2 references)
> target prot opt source   destination
> nova-api-local  all  --  anywhere anywhere
>
> Compute Filter Table:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> neutron-linuxbri-INPUT  all  --  anywhere anywhere
> nova-compute-INPUT  all  --  anywhere anywhere
> ACCEPT udp  --  anywhere anywhere udp 
> dpt:domain
> ACCEPT tcp  --  anywhere anywhere tcp 
> dpt:domain
> ACCEPT udp  --  anywhere anywhere udp 
> dpt:bootps
> ACCEPT tcp  --  anywhere anywhere tcp 
> dpt:bootps
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
> neutron-filter-top  all  --  anywhere anywhere
> neutron-linuxbri-FORWARD  all  --  anywhere anywhere
> nova-filter-top  all  --  anywhere anywhere
> nova-comput

Re: [Openstack] DHCP Request Failed on Ocata

[Georgios Dimitrakakis]

anywhere
  PHYSDEV match --physdev-in tapc2ae9c01-6b
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-id0191424-8  all  --  anywhere anywhere
  PHYSDEV match --physdev-out tapd0191424-88
--physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-od0191424-8  all  --  anywhere anywhere
  PHYSDEV match --physdev-in tapd0191424-88
--physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT all  --  anywhere anywhere

Chain neutron-linuxbri-sg-fallback (6 references)
target prot opt source   destination
DROP   all  --  anywhere anywhere /*
Default drop rule for unmatched traffic. */

Chain nova-compute-FORWARD (1 references)
target prot opt source   destination
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
DROP   all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
DROP   all  --  anywhere anywhere

Chain nova-compute-INPUT (1 references)
target prot opt source   destination

Chain nova-compute-OUTPUT (1 references)
target prot opt source   destination

Chain nova-compute-local (1 references)
target prot opt source   destination

Chain nova-filter-top (2 references)
target prot opt source   destination
nova-compute-local  all  --  anywhere anywhere

Regards,
Manjunath


-Original Message-
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr]
Sent: Sunday, 19 March, 2017 11:35 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata

 Any ideas on this?

 Here are my firewall rules on Controller Node:

 #ALLOW ALL Compute Node
 -A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT  -A OUTPUT -d
$COMPUTE_NODE_IP/32 -p udp -j ACCEPT  -A INPUT -s $COMPUTE_NODE_IP/32
-p tcp -j ACCEPT  -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT  -A OUTPUT -d
$PUBLIC_SUBNET/29 -p udp -j ACCEPT  -A INPUT -s $PUBLIC_SUBNET/29 -p
tcp -j ACCEPT  -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT

 After these more rule are following for SSH (port 22) , HTTP (port 
80)  etc.



 Repsectively on Compute Node I have


 #ALLOW ALL Controller Node
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT


 After these more rule are following for SSH (port 22) , HTTP (port 
80)

 etc.

 where on all the above:
 The $COMPUTE_NODE_IP is the static IP address of the compute node
 The $CONTROLLER_NODE_IP is the static IP address of the controller 
node
 The $PUBLIC_SUBNET is the subnet for the public IP addresses as 
defined

 by my provider


 The above rules are on the top of my IPTABLES files immediately 
after:


 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT

 while at the very end (after all the rules) I have:

 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT


 Using the above rules I believe that I have an open communication
 between the Controller, the Compute Node and the VMs.

 Obviously I am missing something...but what???

 Can someone help me or share with me its firewall rules between a
 controller and a compute node??

 Keeping the firewall disabled solves the problem and all VMs are
 getting IP addresses without a problem, but this is not desired.

 I really appreciate any help provided since I am puzzled for quiet a
 few days now with this


 Regards,


 G.




I have also disabled completely the "firewalld" service and reverted
back to "iptables" service but without success.

No matter what I do my instances cannot get a DHCP address unless 
the

firewall is "stopped".

I 've tried to add the UDP ports 67-68 on the firewall but without
success as well.
What else should I do in order to be able to have "iptables" enabled
for basic firewall functionality and at the same time my OpenStack
environment to work without a problem?

Any ideas???

Regards,

G.

On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:

It causes problems for us so we uninstall and disable it on all
compute nodes.

yum -y remove firewalld

Sent from my iPhone


On Mar 13, 2017, at 5:58 PM, Geo

Re: [Openstack] DHCP Request Failed on Ocata

[Warad, Manjunath (Nokia - SG)]

-linuxbri-o220f832a-a  all  --  anywhere anywhere
 PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Jump to the 
VM specific chain. */
neutron-linuxbri-ic2ae9c01-6  all  --  anywhere anywhere
 PHYSDEV match --physdev-out tapc2ae9c01-6b --physdev-is-bridged /* Jump to the 
VM specific chain. */
neutron-linuxbri-oc2ae9c01-6  all  --  anywhere anywhere
 PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Jump to the 
VM specific chain. */
neutron-linuxbri-id0191424-8  all  --  anywhere anywhere
 PHYSDEV match --physdev-out tapd0191424-88 --physdev-is-bridged /* Jump to the 
VM specific chain. */
neutron-linuxbri-od0191424-8  all  --  anywhere anywhere
 PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Jump to the 
VM specific chain. */
ACCEPT all  --  anywhere anywhere

Chain neutron-linuxbri-sg-fallback (6 references)
target prot opt source   destination 
DROP   all  --  anywhere anywhere /* Default drop 
rule for unmatched traffic. */

Chain nova-compute-FORWARD (1 references)
target prot opt source   destination 
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
DROP   all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
ACCEPT all  --  anywhere anywhere
DROP   all  --  anywhere anywhere

Chain nova-compute-INPUT (1 references)
target prot opt source   destination 

Chain nova-compute-OUTPUT (1 references)
target prot opt source   destination 

Chain nova-compute-local (1 references)
target prot opt source   destination 

Chain nova-filter-top (2 references)
target prot opt source   destination 
nova-compute-local  all  --  anywhere anywhere

Regards,
Manjunath


-Original Message-
From: Georgios Dimitrakakis [mailto:gior...@acmac.uoc.gr] 
Sent: Sunday, 19 March, 2017 11:35 PM
To: openstack@lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata

 Any ideas on this?

 Here are my firewall rules on Controller Node:

 #ALLOW ALL Compute Node
 -A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT  -A OUTPUT -d 
$COMPUTE_NODE_IP/32 -p udp -j ACCEPT  -A INPUT -s $COMPUTE_NODE_IP/32 -p tcp -j 
ACCEPT  -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT  -A OUTPUT -d $PUBLIC_SUBNET/29 
-p udp -j ACCEPT  -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT  -A OUTPUT -d 
$PUBLIC_SUBNET/29 -p tcp -j ACCEPT

 After these more rule are following for SSH (port 22) , HTTP (port 80)  etc.


 Repsectively on Compute Node I have


 #ALLOW ALL Controller Node
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT


 After these more rule are following for SSH (port 22) , HTTP (port 80) 
 etc.

 where on all the above:
 The $COMPUTE_NODE_IP is the static IP address of the compute node
 The $CONTROLLER_NODE_IP is the static IP address of the controller node
 The $PUBLIC_SUBNET is the subnet for the public IP addresses as defined 
 by my provider


 The above rules are on the top of my IPTABLES files immediately after:

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT

 while at the very end (after all the rules) I have:

 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT


 Using the above rules I believe that I have an open communication 
 between the Controller, the Compute Node and the VMs.

 Obviously I am missing something...but what???

 Can someone help me or share with me its firewall rules between a 
 controller and a compute node??

 Keeping the firewall disabled solves the problem and all VMs are 
 getting IP addresses without a problem, but this is not desired.

 I really appreciate any help provided since I am puzzled for quiet a 
 few days now with this


 Regards,


 G.



> I have also disabled completely the "firewalld" service and reverted
> back to "iptables" service but without success.
>
> No matter what I do my instances 

Re: [Openstack] DHCP Request Failed on Ocata

[Georgios Dimitrakakis]

Any ideas on this?

Here are my firewall rules on Controller Node:

#ALLOW ALL Compute Node
-A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT
-A OUTPUT -d $COMPUTE_NODE_IP/32 -p udp -j ACCEPT
-A INPUT -s $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT
-A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT

#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT

After these more rule are following for SSH (port 22) , HTTP (port 80) 
etc.



Repsectively on Compute Node I have


#ALLOW ALL Controller Node
-A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT

#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT


After these more rule are following for SSH (port 22) , HTTP (port 80) 
etc.


where on all the above:
The $COMPUTE_NODE_IP is the static IP address of the compute node
The $CONTROLLER_NODE_IP is the static IP address of the controller node
The $PUBLIC_SUBNET is the subnet for the public IP addresses as defined 
by my provider



The above rules are on the top of my IPTABLES files immediately after:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

while at the very end (after all the rules) I have:

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


Using the above rules I believe that I have an open communication 
between the Controller, the Compute Node and the VMs.


Obviously I am missing something...but what???

Can someone help me or share with me its firewall rules between a 
controller and a compute node??


Keeping the firewall disabled solves the problem and all VMs are 
getting IP addresses without a problem, but this is not desired.


I really appreciate any help provided since I am puzzled for quiet a 
few days now with this



Regards,


G.




I have also disabled completely the "firewalld" service and reverted
back to "iptables" service but without success.

No matter what I do my instances cannot get a DHCP address unless the
firewall is "stopped".

I 've tried to add the UDP ports 67-68 on the firewall but without
success as well.
What else should I do in order to be able to have "iptables" enabled
for basic firewall functionality and at the same time my OpenStack
environment to work without a problem?

Any ideas???

Regards,

G.

On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:

It causes problems for us so we uninstall and disable it on all
compute nodes.

yum -y remove firewalld

Sent from my iPhone

On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis 
 wrote:


My problem may be due to the "firewalld" service running

Has anyone configured OpenStack on CentOS with Firewalld or do you 
suggest to disable it?


Best,

G.


On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
Hello!

I am trying to setup a new Ocata installation following the 
official

guide but my instances fail to get a DHCP address.

I am using two physical nodes (1x controller and 1x compute) each 
one

with two network interfaces.
Compute node can reach the Controller node via the first interface
and vice versa.
As recommended by the manual the second interface is unnumbered.

When I launch an instance I can see using "tcpdump" that the DHCP
request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either 
on

compute or controller node.

Therefore I am wondering how should the instance get an IP 
address?

What is the correct path that is followed?

I have tried that using both provider and self-service networks 
and

the result is always the same.


Looking forward for any directions, recommendations etc.


All the best,

G.

___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to : openstack@lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to : openstack@lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to : openstack@lists.openstack.org
Unsubscribe : 

Re: [Openstack] DHCP Request Failed on Ocata

[Georgios Dimitrakakis]

I have also disabled completely the "firewalld" service and reverted 
back to "iptables" service but without success.


No matter what I do my instances cannot get a DHCP address unless the 
firewall is "stopped".


I 've tried to add the UDP ports 67-68 on the firewall but without 
success as well.
What else should I do in order to be able to have "iptables" enabled 
for basic firewall functionality and at the same time my OpenStack 
environment to work without a problem?


Any ideas???

Regards,

G.

On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:

It causes problems for us so we uninstall and disable it on all
compute nodes.

yum -y remove firewalld

Sent from my iPhone

On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis 
 wrote:


My problem may be due to the "firewalld" service running

Has anyone configured OpenStack on CentOS with Firewalld or do you 
suggest to disable it?


Best,

G.


On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
Hello!

I am trying to setup a new Ocata installation following the 
official

guide but my instances fail to get a DHCP address.

I am using two physical nodes (1x controller and 1x compute) each 
one

with two network interfaces.
Compute node can reach the Controller node via the first interface
and vice versa.
As recommended by the manual the second interface is unnumbered.

When I launch an instance I can see using "tcpdump" that the DHCP
request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either on
compute or controller node.

Therefore I am wondering how should the instance get an IP address?
What is the correct path that is followed?

I have tried that using both provider and self-service networks and
the result is always the same.


Looking forward for any directions, recommendations etc.


All the best,

G.

___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to : openstack@lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to : openstack@lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] DHCP Request Failed on Ocata

[Mohammed Naser]

It causes problems for us so we uninstall and disable it on all compute nodes. 

yum -y remove firewalld

Sent from my iPhone

> On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis  
> wrote:
> 
> My problem may be due to the "firewalld" service running
> 
> Has anyone configured OpenStack on CentOS with Firewalld or do you suggest to 
> disable it?
> 
> Best,
> 
> G.
> 
>> On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
>> Hello!
>> 
>> I am trying to setup a new Ocata installation following the official
>> guide but my instances fail to get a DHCP address.
>> 
>> I am using two physical nodes (1x controller and 1x compute) each one
>> with two network interfaces.
>> Compute node can reach the Controller node via the first interface
>> and vice versa.
>> As recommended by the manual the second interface is unnumbered.
>> 
>> When I launch an instance I can see using "tcpdump" that the DHCP
>> request reaches the second (the unnumbered) interface
>> of the compute node but never reaches any other interface either on
>> compute or controller node.
>> 
>> Therefore I am wondering how should the instance get an IP address?
>> What is the correct path that is followed?
>> 
>> I have tried that using both provider and self-service networks and
>> the result is always the same.
>> 
>> 
>> Looking forward for any directions, recommendations etc.
>> 
>> 
>> All the best,
>> 
>> G.
>> 
>> ___
>> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack@lists.openstack.org
>> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> ___
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] DHCP Request Failed on Ocata

[Georgios Dimitrakakis]

My problem may be due to the "firewalld" service running

Has anyone configured OpenStack on CentOS with Firewalld or do you 
suggest to disable it?


Best,

G.

On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:

Hello!

I am trying to setup a new Ocata installation following the official
guide but my instances fail to get a DHCP address.

I am using two physical nodes (1x controller and 1x compute) each one
with two network interfaces.
Compute node can reach the Controller node via the first interface
and vice versa.
As recommended by the manual the second interface is unnumbered.

When I launch an instance I can see using "tcpdump" that the DHCP
request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either on
compute or controller node.

Therefore I am wondering how should the instance get an IP address?
What is the correct path that is followed?

I have tried that using both provider and self-service networks and
the result is always the same.


Looking forward for any directions, recommendations etc.


All the best,

G.

___
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Post to : openstack@lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] DHCP Request Failed on Ocata

[Georgios Dimitrakakis]

Hello!

I am trying to setup a new Ocata installation following the official 
guide but my instances fail to get a DHCP address.


I am using two physical nodes (1x controller and 1x compute) each one 
with two network interfaces.
Compute node can reach the Controller node via the first interface and 
vice versa.

As recommended by the manual the second interface is unnumbered.

When I launch an instance I can see using "tcpdump" that the DHCP 
request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either on 
compute or controller node.


Therefore I am wondering how should the instance get an IP address? 
What is the correct path that is followed?


I have tried that using both provider and self-service networks and the 
result is always the same.



Looking forward for any directions, recommendations etc.


All the best,

G.

___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack