[Openstack] DHCP Request Failed on Ocata
Warad, Manjunath (Nokia - SG)
manjunath.warad at nokia.com
Mon Mar 20 03:08:09 UTC 2017
Here are my filter tables...
I did a default installation of 1 controller and 1 compute following openstack install docs.
I read through that the firewalld was not stopped during installation. I'm not sure if that could have cause some invalid insertions/deletions into iptables.
Probably, you may want to consider re-installing controller and compute nodes with firewalld disabled in the beginning unless you
have enough time to troubleshoot the problem.
Controller Filter Table:
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere
nova-api-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-FORWARD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-api-OUTPUT all -- anywhere anywhere
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere
Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination
Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination
Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination
Chain neutron-linuxbri-local (1 references)
target prot opt source destination
Chain neutron-linuxbri-sg-chain (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain neutron-linuxbri-sg-fallback (0 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
Chain nova-api-FORWARD (1 references)
target prot opt source destination
Chain nova-api-INPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere controller tcp dpt:8775
Chain nova-api-OUTPUT (1 references)
target prot opt source destination
Chain nova-api-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-api-local all -- anywhere anywhere
Compute Filter Table:
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-linuxbri-INPUT all -- anywhere anywhere
nova-compute-INPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-FORWARD all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-compute-FORWARD all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- anywhere anywhere
neutron-linuxbri-OUTPUT all -- anywhere anywhere
nova-filter-top all -- anywhere anywhere
nova-compute-OUTPUT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-linuxbri-local all -- anywhere anywhere
Chain neutron-linuxbri-FORWARD (1 references)
target prot opt source destination
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tap220f832a-a0 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tapc2ae9c01-6b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-out tapd0191424-88 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
neutron-linuxbri-sg-chain all -- anywhere anywhere PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Direct traffic from the VM interface to the security group chain. */
Chain neutron-linuxbri-INPUT (1 references)
target prot opt source destination
neutron-linuxbri-o220f832a-a all -- anywhere anywhere PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
neutron-linuxbri-od0191424-8 all -- anywhere anywhere PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Direct incoming traffic from VM to the security group chain. */
Chain neutron-linuxbri-OUTPUT (1 references)
target prot opt source destination
Chain neutron-linuxbri-i220f832a-a (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- XXX <internal interface> anywhere udp spt:bootps udp dpt:bootpc
RETURN all -- anywhere anywhere match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-ic2ae9c01-6 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- XXX <internal interface> anywhere udp spt:bootps udp dpt:bootpc
RETURN all -- anywhere anywhere match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-id0191424-8 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- XXX <ip_address> anywhere udp spt:bootps udp dpt:bootpc
RETURN all -- anywhere anywhere match-set NIPv4e4277e54-2e75-421d-a87d- src
RETURN icmp -- anywhere anywhere
RETURN tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-local (1 references)
target prot opt source destination
Chain neutron-linuxbri-o220f832a-a (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-s220f832a-a all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-oc2ae9c01-6 (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-sc2ae9c01-6 all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-od0191424-8 (2 references)
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
neutron-linuxbri-sd0191424-8 all -- anywhere anywhere
RETURN udp -- anywhere anywhere udp spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
DROP udp -- anywhere anywhere udp spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
RETURN all -- anywhere anywhere state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-linuxbri-sg-fallback all -- anywhere anywhere /* Send unmatched traffic to the fallback chain. */
Chain neutron-linuxbri-s220f832a-a (1 references)
target prot opt source destination
RETURN all -- XXX <ip address> anywhere MAC XX:XX:XX:FF:36:AA /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */
Chain neutron-linuxbri-sc2ae9c01-6 (1 references)
target prot opt source destination
RETURN all -- XXX <ip address> anywhere MAC XX:XX:XX:88:CA:0C /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */
Chain neutron-linuxbri-sd0191424-8 (1 references)
target prot opt source destination
RETURN all -- XXX <ip address> anywhere MAC XX:XX:XX:2A:55:AA /* Allow traffic from defined IP/MAC pairs. */
DROP all -- anywhere anywhere /* Drop traffic without an IP/MAC allow rule. */
Chain neutron-linuxbri-sg-chain (6 references)
target prot opt source destination
neutron-linuxbri-i220f832a-a all -- anywhere anywhere PHYSDEV match --physdev-out tap220f832a-a0 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-o220f832a-a all -- anywhere anywhere PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-ic2ae9c01-6 all -- anywhere anywhere PHYSDEV match --physdev-out tapc2ae9c01-6b --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-id0191424-8 all -- anywhere anywhere PHYSDEV match --physdev-out tapd0191424-88 --physdev-is-bridged /* Jump to the VM specific chain. */
neutron-linuxbri-od0191424-8 all -- anywhere anywhere PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged /* Jump to the VM specific chain. */
ACCEPT all -- anywhere anywhere
Chain neutron-linuxbri-sg-fallback (6 references)
target prot opt source destination
DROP all -- anywhere anywhere /* Default drop rule for unmatched traffic. */
Chain nova-compute-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain nova-compute-INPUT (1 references)
target prot opt source destination
Chain nova-compute-OUTPUT (1 references)
target prot opt source destination
Chain nova-compute-local (1 references)
target prot opt source destination
Chain nova-filter-top (2 references)
target prot opt source destination
nova-compute-local all -- anywhere anywhere
Regards,
Manjunath
-----Original Message-----
From: Georgios Dimitrakakis [mailto:giorgis at acmac.uoc.gr]
Sent: Sunday, 19 March, 2017 11:35 PM
To: openstack at lists.openstack.org
Subject: Re: [Openstack] DHCP Request Failed on Ocata
Any ideas on this?
Here are my firewall rules on Controller Node:
#ALLOW ALL Compute Node
-A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A OUTPUT -d $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A INPUT -s $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT
#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
After these more rule are following for SSH (port 22) , HTTP (port 80) etc.
Repsectively on Compute Node I have
#ALLOW ALL Controller Node
-A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
After these more rule are following for SSH (port 22) , HTTP (port 80)
etc.
where on all the above:
The $COMPUTE_NODE_IP is the static IP address of the compute node
The $CONTROLLER_NODE_IP is the static IP address of the controller node
The $PUBLIC_SUBNET is the subnet for the public IP addresses as defined
by my provider
The above rules are on the top of my IPTABLES files immediately after:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
while at the very end (after all the rules) I have:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Using the above rules I believe that I have an open communication
between the Controller, the Compute Node and the VMs.
Obviously I am missing something...but what???
Can someone help me or share with me its firewall rules between a
controller and a compute node??
Keeping the firewall disabled solves the problem and all VMs are
getting IP addresses without a problem, but this is not desired.
I really appreciate any help provided since I am puzzled for quiet a
few days now with this....
Regards,
G.
> I have also disabled completely the "firewalld" service and reverted
> back to "iptables" service but without success.
>
> No matter what I do my instances cannot get a DHCP address unless the
> firewall is "stopped".
>
> I 've tried to add the UDP ports 67-68 on the firewall but without
> success as well.
> What else should I do in order to be able to have "iptables" enabled
> for basic firewall functionality and at the same time my OpenStack
> environment to work without a problem?
>
> Any ideas???
>
> Regards,
>
> G.
>
> On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:
>> It causes problems for us so we uninstall and disable it on all
>> compute nodes.
>>
>> yum -y remove firewalld
>>
>> Sent from my iPhone
>>
>>> On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis
>>> <giorgis at acmac.uoc.gr> wrote:
>>>
>>> My problem may be due to the "firewalld" service running....
>>>
>>> Has anyone configured OpenStack on CentOS with Firewalld or do you
>>> suggest to disable it?
>>>
>>> Best,
>>>
>>> G.
>>>
>>>> On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
>>>> Hello!
>>>>
>>>> I am trying to setup a new Ocata installation following the
>>>> official
>>>> guide but my instances fail to get a DHCP address.
>>>>
>>>> I am using two physical nodes (1x controller and 1x compute) each
>>>> one
>>>> with two network interfaces.
>>>> Compute node can reach the Controller node via the first interface
>>>> and vice versa.
>>>> As recommended by the manual the second interface is unnumbered.
>>>>
>>>> When I launch an instance I can see using "tcpdump" that the DHCP
>>>> request reaches the second (the unnumbered) interface
>>>> of the compute node but never reaches any other interface either
>>>> on
>>>> compute or controller node.
>>>>
>>>> Therefore I am wondering how should the instance get an IP
>>>> address?
>>>> What is the correct path that is followed?
>>>>
>>>> I have tried that using both provider and self-service networks
>>>> and
>>>> the result is always the same.
>>>>
>>>>
>>>> Looking forward for any directions, recommendations etc.
>>>>
>>>>
>>>> All the best,
>>>>
>>>> G.
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to : openstack at lists.openstack.org
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list