[ops] In a compute node, outbound traffic blocked when a VM running

7 Dec 2020

      Summary of the problem

This problem is in a compute node, not in a VM.

Once a VM is running in a compute node,

all outbound connections in a compute node (not VM) are blocked.

For example:

# telnet www.google.com 80

Trying 172.217.5.4...

Technical Details:

We only use provider network.

These 4 services are running  in each compute node:

- neutron-linuxbridge-agent.service

- neutron-dhcp-agent.service

- neutron-metadata-agent.service

- openstack-nova-compute.service

Detailed description of the problem:

In a compute node, the following is the result of iptables -L when no VM is
running:

<begin>

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

neutron-linuxbri-INPUT  all  --  anywhere anywhere

And our usual rules

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

neutron-filter-top        all -- anywhere anywhere

neutron-linuxbri-FORWARD  all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

neutron-filter-top       all -- anywhere anywhere

neutron-linuxbri-OUTPUT  all -- anywhere anywhere

Chain neutron-filter-top (2 references)

target     prot opt source               destination

neutron-linuxbri-local  all -- anywhere anywhere

Chain neutron-linuxbri-FORWARD (1 references)

target prot opt source               destination

ACCEPT all  --  anywhere anywhere PHYSDEV match --physdev-out tapb
--physdev-is-bridged

ACCEPT all  --  anywhere anywhere PHYSDEV match --physdev-in  tapb
--physdev-is-bridged

ACCEPT all  --  anywhere anywhere PHYSDEV match --physdev-out tap9
--physdev-is-bridged

ACCEPT all  --  anywhere anywhere PHYSDEV match --physdev-in  tap9
--physdev-is-bridged

Chain neutron-linuxbri-INPUT (1 references)

target     prot opt source               destination

Chain neutron-linuxbri-OUTPUT (1 references)

target     prot opt source               destination

Chain neutron-linuxbri-local (1 references)

target     prot opt source               destination

Chain neutron-linuxbri-sg-chain (0 references)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

Chain neutron-linuxbri-sg-fallback (0 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

</end>

In the same compute node, when a VM is running,

the following is the result of iptables -L:

<begin>

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

neutron-linuxbri-INPUT  all  --  anywhere anywhere

And our usual rules

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

neutron-filter-top        all -- anywhere anywhere

neutron-linuxbri-FORWARD  all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

neutron-filter-top       all -- anywhere anywhere

neutron-linuxbri-OUTPUT  all -- anywhere anywhere

Chain neutron-filter-top (2 references)

target     prot opt source               destination

neutron-linuxbri-local  all  --  anywhere             anywhere

Chain neutron-linuxbri-FORWARD (1 references)

target     prot opt source               destination

neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match
--physdev-out tap8 --physdev-is-bridged

neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match
--physdev-in  tap8 --physdev-is-bridged

ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out tapb
--physdev-is-bridged

ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in  tapb
--physdev-is-bridged

ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-out tap9
--physdev-is-bridged

ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in  tap9
--physdev-is-bridged

Chain neutron-linuxbri-INPUT (1 references)

target     prot opt source               destination

neutron-linuxbri-o8 all -- anywhere anywhere PHYSDEV match --physdev-in
tap8 --physdev-is-bridged

Chain neutron-linuxbri-OUTPUT (1 references)

target     prot opt source               destination

Chain neutron-linuxbri-i8 (1 references)

target     prot opt source               destination

RETURN     all  --  anywhere anywhere  state RELATED,ESTABLISHED

RETURN     udp  --  anywhere fermicloud248.fnal.gov udp spt:bootps
dpt:bootpc

RETURN     udp  --  anywhere 255.255.255.255   udp spt:bootps dpt:bootpc

RETURN     icmp --  anywhere anywhere

RETURN     tcp  --  fermilab-net.fnal.gov/16 anywhere  tcp dpt:ssh

RETURN     all  --  anywhere anywhere  match-set
NIPv41d69ba3c-68e3-414f-8f1b- src

DROP       all  --  anywhere anywhere  state INVALID

neutron-linuxbri-sg-fallback  all -- anywhere anywhere

Chain neutron-linuxbri-local (1 references)

target     prot opt source               destination

Chain neutron-linuxbri-o8 (2 references)

target     prot opt source               destination

RETURN     udp  --  default              255.255.255.255 udp spt:bootpc
dpt:bootps

neutron-linuxbri-s8 all -- anywhere anywhere

RETURN     udp  --  anywhere anywhere udp spt:bootpc dpt:bootps

DROP       udp  --  anywhere anywhere udp spt:bootps dpt:bootpc

RETURN     all  --  anywhere anywhere state RELATED,ESTABLISHED

RETURN     tcp  --  anywhere anywhere tcp dpt:https

RETURN     all  --  anywhere anywhere

RETURN     tcp  --  anywhere anywhere tcp dpt:http

DROP       all  --  anywhere anywhere state INVALID

neutron-linuxbri-sg-fallback  all -- anywhere anywhere

Chain neutron-linuxbri-s8 (1 references)

target     prot opt source               destination

RETURN     all  --  fermicloud248.fnal.gov  anywhere MAC FA:16:

DROP       all  --  anywhere anywhere

Chain neutron-linuxbri-sg-chain (2 references)

target     prot opt source               destination

neutron-linuxbri-i8 all  --  anywhere anywhere PHYSDEV match --physdev-out
tap8 --physdev-is-bridged

neutron-linuxbri-o8 all  --  anywhere anywhere PHYSDEV match --physdev-in  tap8
--physdev-is-bridged

ACCEPT     all  --  anywhere             anywhere

Chain neutron-linuxbri-sg-fallback (2 references)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere

</end>

Let me summarize the differences from when no VM running:

Chain INPUT  : no change

Chain FORWARD: no change

Chain OUTPUT : no change

Chain neutron-filter-top: no change

Chain neutron-linuxbri-FORWARD: Two new rules are added

 neutron-linuxbri-sg-chain

 neutron-linuxbri-sg-chain

Chain neutron-linuxbri-INPUT: One new rule is added

 neutron-linuxbri-o8ae816b0-f

Chain neutron-linuxbri-sg-chain: Two new rules are added

 neutron-linuxbri-i8

 neutron-linuxbri-o8

Chain neutron-linuxbri-OUTPUT: no change

Chain neutron-linuxbri-local: no change

Chain neutron-linuxbri-sg-fallback: no change

Chain neutron-linuxbri-i8: A new chain with multiple rules

Chain neutron-linuxbri-o8: A new chain with multiple rules

Chain neutron-linuxbri-s8: A new chain with multiple rules

But now a problem arises here:

All outbound connections are blocked (remember this is in a compute node,
not VM):

For example:

# telnet www.google.com 80

Trying 172.217.5.4...

When there isn't any VM running, We don't see this problem.

I was wondering if I needed to create a new security group rule for the
port 80 (for example)

but that didn't solve the issue.

Any technical advice will be appreciated,

Thanks,

Hyunwoo

[ops] In a compute node, outbound traffic blocked when a VM running

Hyunwoo KIM