Hypervisors inaccessable with VM on provider network
Matthew Ens
mfens98 at uvic.ca
Mon Aug 30 16:27:30 UTC 2021
Hello,
I am running openstack-victoria on centos8 without OVS and I have
followed the installation directions according to the docs with the
option to have self-service networks as our project does not need all
our vm's accessible from the outside. We do still however occasionally
use the provider network for users who need external access to the VM
and in cases where using a floating ip is not sufficient.
We noticed when there is a VM connected to the provider network we lose
access to the hypervisor (cannot ssh or anything, ping still gives a
response though) and the hypervisor itself loses internet access (cannot
ping or curl some test website). We narrowed it down to two issues. One,
we were using firewalld to keep track of our own firewall rules while
openstack uses iptables to enforce its security group rules. These two
did not work well together due to the second issue where openstack
assigns incoming connections to a conntrack zone, it seemed like
firewalld could not handle this correctly and would drop connections
that should have been allowed under its rules.
After transferring our firewall rules to iptables and masking firewalld,
the hypervisor was accessible over ssh but could not access the internet
due to our rule allowing ESTABLISHED and RELATED connections not being
applied properly when a packet was assigned to a conntrack zone.
The work around we found for this was to add a rule where packets
destined for the hypervisor were not assigned to a conntrack zone (add a
rule to the raw iptables table in the PREROUTING chain to just be
accepted if the destination ip address was the address of the
hypervisor). This worked until a new vm was created as openstack
rebuilds the iptables when a change is made and puts it's own rules
above those created by someone other than openstack. To fix this we
changed the code in neutron (iptables_manager.py, the modify_rules
function) to put this rule only above those made by openstack in the raw
iptables table, PREROUTING chain. This fixed our issue, we are now able
to access the hypervisor when VMs are running on a provider network and
VMs and the hypervisor are accessible and able to access the internet.
Security groups are also properly enforced on the VMs as are our
firewall rules assigned elsewhere in iptables.
I'm not sure if this is exactly a bug since in most cases openstack
should be assigning its own firewall rules first in case there are DROP
rules put in by someone else or I could also have missed some
configuration step in which case I would love to know how I can improve.
We thought others may be having a similar issue.
If you'd like more details or have suggestions I'm happy to receive
feedback.
Cheers,
Matt
More information about the openstack-discuss
mailing list