Open Stack

 Any ideas on this?

 Here are my firewall rules on Controller Node:

 #ALLOW ALL Compute Node
 -A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT
 -A OUTPUT -d $COMPUTE_NODE_IP/32 -p udp -j ACCEPT
 -A INPUT -s $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT
 -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT

 After these more rule are following for SSH (port 22) , HTTP (port 80) 
 etc.


 Repsectively on Compute Node I have


 #ALLOW ALL Controller Node
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
 -A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
 -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT

 #ALLOW ALL from-to Public Subnet
 -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
 -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
 -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT


 After these more rule are following for SSH (port 22) , HTTP (port 80) 
 etc.

 where on all the above:
 The $COMPUTE_NODE_IP is the static IP address of the compute node
 The $CONTROLLER_NODE_IP is the static IP address of the controller node
 The $PUBLIC_SUBNET is the subnet for the public IP addresses as defined 
 by my provider


 The above rules are on the top of my IPTABLES files immediately after:

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT

 while at the very end (after all the rules) I have:

 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT


 Using the above rules I believe that I have an open communication 
 between the Controller, the Compute Node and the VMs.

 Obviously I am missing something...but what???

 Can someone help me or share with me its firewall rules between a 
 controller and a compute node??

 Keeping the firewall disabled solves the problem and all VMs are 
 getting IP addresses without a problem, but this is not desired.

 I really appreciate any help provided since I am puzzled for quiet a 
 few days now with this....


 Regards,


 G.



> I have also disabled completely the "firewalld" service and reverted
> back to "iptables" service but without success.
>
> No matter what I do my instances cannot get a DHCP address unless the
> firewall is "stopped".
>
> I 've tried to add the UDP ports 67-68 on the firewall but without
> success as well.
> What else should I do in order to be able to have "iptables" enabled
> for basic firewall functionality and at the same time my OpenStack
> environment to work without a problem?
>
> Any ideas???
>
> Regards,
>
> G.
>
> On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:
>> It causes problems for us so we uninstall and disable it on all
>> compute nodes.
>>
>> yum -y remove firewalld
>>
>> Sent from my iPhone
>>
>>> On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis 
>>> <giorgis at acmac.uoc.gr> wrote:
>>>
>>> My problem may be due to the "firewalld" service running....
>>>
>>> Has anyone configured OpenStack on CentOS with Firewalld or do you 
>>> suggest to disable it?
>>>
>>> Best,
>>>
>>> G.
>>>
>>>> On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
>>>> Hello!
>>>>
>>>> I am trying to setup a new Ocata installation following the 
>>>> official
>>>> guide but my instances fail to get a DHCP address.
>>>>
>>>> I am using two physical nodes (1x controller and 1x compute) each 
>>>> one
>>>> with two network interfaces.
>>>> Compute node can reach the Controller node via the first interface
>>>> and vice versa.
>>>> As recommended by the manual the second interface is unnumbered.
>>>>
>>>> When I launch an instance I can see using "tcpdump" that the DHCP
>>>> request reaches the second (the unnumbered) interface
>>>> of the compute node but never reaches any other interface either 
>>>> on
>>>> compute or controller node.
>>>>
>>>> Therefore I am wondering how should the instance get an IP 
>>>> address?
>>>> What is the correct path that is followed?
>>>>
>>>> I have tried that using both provider and self-service networks 
>>>> and
>>>> the result is always the same.
>>>>
>>>>
>>>> Looking forward for any directions, recommendations etc.
>>>>
>>>>
>>>> All the best,
>>>>
>>>> G.
>>>>
>>>> _______________________________________________
>>>> Mailing list: 
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe : 
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>> _______________________________________________
>>> Mailing list: 
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe : 
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list: 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack