[Openstack] DHCP Request Failed on Ocata
Georgios Dimitrakakis
giorgis at acmac.uoc.gr
Mon Mar 20 10:32:04 UTC 2017
Hello and thanks for providing the detailed iptables output.
I don't believe that having initially "firewalld" enabled had any
impact because (to my understanding)
all rules are added when the services are restarted.
So by rebooting the nodes everything should be OK which isn't.
Can you tell me if in your "/etc/sysconfig/iptables" you have any other
rules that DROP or REJECT packages?
Best,
G.
On Mon, 20 Mar 2017 03:08:09 +0000, Warad, Manjunath (Nokia - SG)
wrote:
> Here are my filter tables...
> I did a default installation of 1 controller and 1 compute following
> openstack install docs.
>
> I read through that the firewalld was not stopped during
> installation. I'm not sure if that could have cause some invalid
> insertions/deletions into iptables.
> Probably, you may want to consider re-installing controller and
> compute nodes with firewalld disabled in the beginning unless you
> have enough time to troubleshoot the problem.
>
> Controller Filter Table:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> neutron-linuxbri-INPUT all -- anywhere anywhere
> nova-api-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> neutron-filter-top all -- anywhere anywhere
> neutron-linuxbri-FORWARD all -- anywhere anywhere
> nova-filter-top all -- anywhere anywhere
> nova-api-FORWARD all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> neutron-filter-top all -- anywhere anywhere
> neutron-linuxbri-OUTPUT all -- anywhere anywhere
> nova-filter-top all -- anywhere anywhere
> nova-api-OUTPUT all -- anywhere anywhere
>
> Chain neutron-filter-top (2 references)
> target prot opt source destination
> neutron-linuxbri-local all -- anywhere anywhere
>
> Chain neutron-linuxbri-FORWARD (1 references)
> target prot opt source destination
>
> Chain neutron-linuxbri-INPUT (1 references)
> target prot opt source destination
>
> Chain neutron-linuxbri-OUTPUT (1 references)
> target prot opt source destination
>
> Chain neutron-linuxbri-local (1 references)
> target prot opt source destination
>
> Chain neutron-linuxbri-sg-chain (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain neutron-linuxbri-sg-fallback (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere /*
> Default drop rule for unmatched traffic. */
>
> Chain nova-api-FORWARD (1 references)
> target prot opt source destination
>
> Chain nova-api-INPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere controller tcp
> dpt:8775
>
> Chain nova-api-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-api-local (1 references)
> target prot opt source destination
>
> Chain nova-filter-top (2 references)
> target prot opt source destination
> nova-api-local all -- anywhere anywhere
>
> Compute Filter Table:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> neutron-linuxbri-INPUT all -- anywhere anywhere
> nova-compute-INPUT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:domain
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:bootps
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> neutron-filter-top all -- anywhere anywhere
> neutron-linuxbri-FORWARD all -- anywhere anywhere
> nova-filter-top all -- anywhere anywhere
> nova-compute-FORWARD all -- anywhere anywhere
> ACCEPT all -- anywhere 192.168.122.0/24 ctstate
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> neutron-filter-top all -- anywhere anywhere
> neutron-linuxbri-OUTPUT all -- anywhere anywhere
> nova-filter-top all -- anywhere anywhere
> nova-compute-OUTPUT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootpc
>
> Chain neutron-filter-top (2 references)
> target prot opt source destination
> neutron-linuxbri-local all -- anywhere anywhere
>
> Chain neutron-linuxbri-FORWARD (1 references)
> target prot opt source destination
> neutron-linuxbri-sg-chain all -- anywhere anywhere
> PHYSDEV match --physdev-out tap220f832a-a0
> --physdev-is-bridged /* Direct traffic from the VM interface to the
> security group chain. */
> neutron-linuxbri-sg-chain all -- anywhere anywhere
> PHYSDEV match --physdev-in tap220f832a-a0 --physdev-is-bridged
> /* Direct traffic from the VM interface to the security group chain.
> */
> neutron-linuxbri-sg-chain all -- anywhere anywhere
> PHYSDEV match --physdev-out tapc2ae9c01-6b
> --physdev-is-bridged /* Direct traffic from the VM interface to the
> security group chain. */
> neutron-linuxbri-sg-chain all -- anywhere anywhere
> PHYSDEV match --physdev-in tapc2ae9c01-6b --physdev-is-bridged
> /* Direct traffic from the VM interface to the security group chain.
> */
> neutron-linuxbri-sg-chain all -- anywhere anywhere
> PHYSDEV match --physdev-out tapd0191424-88
> --physdev-is-bridged /* Direct traffic from the VM interface to the
> security group chain. */
> neutron-linuxbri-sg-chain all -- anywhere anywhere
> PHYSDEV match --physdev-in tapd0191424-88 --physdev-is-bridged
> /* Direct traffic from the VM interface to the security group chain.
> */
>
> Chain neutron-linuxbri-INPUT (1 references)
> target prot opt source destination
> neutron-linuxbri-o220f832a-a all -- anywhere anywhere
> PHYSDEV match --physdev-in tap220f832a-a0
> --physdev-is-bridged /* Direct incoming traffic from VM to the
> security group chain. */
> neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere
> PHYSDEV match --physdev-in tapc2ae9c01-6b
> --physdev-is-bridged /* Direct incoming traffic from VM to the
> security group chain. */
> neutron-linuxbri-od0191424-8 all -- anywhere anywhere
> PHYSDEV match --physdev-in tapd0191424-88
> --physdev-is-bridged /* Direct incoming traffic from VM to the
> security group chain. */
>
> Chain neutron-linuxbri-OUTPUT (1 references)
> target prot opt source destination
>
> Chain neutron-linuxbri-i220f832a-a (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere state
> RELATED,ESTABLISHED /* Direct packets associated with a known session
> to the RETURN chain. */
> RETURN udp -- XXX <internal interface> anywhere udp
> spt:bootps udp dpt:bootpc
> RETURN all -- anywhere anywhere
> match-set NIPv4e4277e54-2e75-421d-a87d- src
> RETURN icmp -- anywhere anywhere
> RETURN tcp -- anywhere anywhere tcp
> dpt:ssh
> DROP all -- anywhere anywhere state
> INVALID /* Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
> neutron-linuxbri-sg-fallback all -- anywhere anywhere
> /* Send unmatched traffic to the fallback chain. */
>
> Chain neutron-linuxbri-ic2ae9c01-6 (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere state
> RELATED,ESTABLISHED /* Direct packets associated with a known session
> to the RETURN chain. */
> RETURN udp -- XXX <internal interface> anywhere udp
> spt:bootps udp dpt:bootpc
> RETURN all -- anywhere anywhere
> match-set NIPv4e4277e54-2e75-421d-a87d- src
> RETURN icmp -- anywhere anywhere
> RETURN tcp -- anywhere anywhere tcp
> dpt:ssh
> DROP all -- anywhere anywhere state
> INVALID /* Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
> neutron-linuxbri-sg-fallback all -- anywhere anywhere
> /* Send unmatched traffic to the fallback chain. */
>
> Chain neutron-linuxbri-id0191424-8 (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere state
> RELATED,ESTABLISHED /* Direct packets associated with a known session
> to the RETURN chain. */
> RETURN udp -- XXX <ip_address> anywhere udp
> spt:bootps udp dpt:bootpc
> RETURN all -- anywhere anywhere
> match-set NIPv4e4277e54-2e75-421d-a87d- src
> RETURN icmp -- anywhere anywhere
> RETURN tcp -- anywhere anywhere tcp
> dpt:ssh
> DROP all -- anywhere anywhere state
> INVALID /* Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
> neutron-linuxbri-sg-fallback all -- anywhere anywhere
> /* Send unmatched traffic to the fallback chain. */
>
> Chain neutron-linuxbri-local (1 references)
> target prot opt source destination
>
> Chain neutron-linuxbri-o220f832a-a (2 references)
> target prot opt source destination
> RETURN udp -- 0.0.0.0 255.255.255.255 udp
> spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
> neutron-linuxbri-s220f832a-a all -- anywhere anywhere
>
> RETURN udp -- anywhere anywhere udp
> spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
> DROP udp -- anywhere anywhere udp
> spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
> RETURN all -- anywhere anywhere state
> RELATED,ESTABLISHED /* Direct packets associated with a known session
> to the RETURN chain. */
> RETURN all -- anywhere anywhere
> DROP all -- anywhere anywhere state
> INVALID /* Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
> neutron-linuxbri-sg-fallback all -- anywhere anywhere
> /* Send unmatched traffic to the fallback chain. */
>
> Chain neutron-linuxbri-oc2ae9c01-6 (2 references)
> target prot opt source destination
> RETURN udp -- 0.0.0.0 255.255.255.255 udp
> spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
> neutron-linuxbri-sc2ae9c01-6 all -- anywhere anywhere
>
> RETURN udp -- anywhere anywhere udp
> spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
> DROP udp -- anywhere anywhere udp
> spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
> RETURN all -- anywhere anywhere state
> RELATED,ESTABLISHED /* Direct packets associated with a known session
> to the RETURN chain. */
> RETURN all -- anywhere anywhere
> DROP all -- anywhere anywhere state
> INVALID /* Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
> neutron-linuxbri-sg-fallback all -- anywhere anywhere
> /* Send unmatched traffic to the fallback chain. */
>
> Chain neutron-linuxbri-od0191424-8 (2 references)
> target prot opt source destination
> RETURN udp -- 0.0.0.0 255.255.255.255 udp
> spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
> neutron-linuxbri-sd0191424-8 all -- anywhere anywhere
>
> RETURN udp -- anywhere anywhere udp
> spt:bootpc dpt:bootps /* Allow DHCP client traffic. */
> DROP udp -- anywhere anywhere udp
> spt:bootps udp dpt:bootpc /* Prevent DHCP Spoofing by VM. */
> RETURN all -- anywhere anywhere state
> RELATED,ESTABLISHED /* Direct packets associated with a known session
> to the RETURN chain. */
> RETURN all -- anywhere anywhere
> DROP all -- anywhere anywhere state
> INVALID /* Drop packets that appear related to an existing connection
> (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
> neutron-linuxbri-sg-fallback all -- anywhere anywhere
> /* Send unmatched traffic to the fallback chain. */
>
> Chain neutron-linuxbri-s220f832a-a (1 references)
> target prot opt source destination
> RETURN all -- XXX <ip address> anywhere
> MAC XX:XX:XX:FF:36:AA /* Allow traffic from defined IP/MAC pairs. */
> DROP all -- anywhere anywhere /* Drop
> traffic without an IP/MAC allow rule. */
>
> Chain neutron-linuxbri-sc2ae9c01-6 (1 references)
> target prot opt source destination
> RETURN all -- XXX <ip address> anywhere
> MAC XX:XX:XX:88:CA:0C /* Allow traffic from defined IP/MAC pairs. */
> DROP all -- anywhere anywhere /* Drop
> traffic without an IP/MAC allow rule. */
>
> Chain neutron-linuxbri-sd0191424-8 (1 references)
> target prot opt source destination
> RETURN all -- XXX <ip address> anywhere MAC
> XX:XX:XX:2A:55:AA /* Allow traffic from defined IP/MAC pairs. */
> DROP all -- anywhere anywhere /* Drop
> traffic without an IP/MAC allow rule. */
>
> Chain neutron-linuxbri-sg-chain (6 references)
> target prot opt source destination
> neutron-linuxbri-i220f832a-a all -- anywhere anywhere
> PHYSDEV match --physdev-out tap220f832a-a0
> --physdev-is-bridged /* Jump to the VM specific chain. */
> neutron-linuxbri-o220f832a-a all -- anywhere anywhere
> PHYSDEV match --physdev-in tap220f832a-a0
> --physdev-is-bridged /* Jump to the VM specific chain. */
> neutron-linuxbri-ic2ae9c01-6 all -- anywhere anywhere
> PHYSDEV match --physdev-out tapc2ae9c01-6b
> --physdev-is-bridged /* Jump to the VM specific chain. */
> neutron-linuxbri-oc2ae9c01-6 all -- anywhere anywhere
> PHYSDEV match --physdev-in tapc2ae9c01-6b
> --physdev-is-bridged /* Jump to the VM specific chain. */
> neutron-linuxbri-id0191424-8 all -- anywhere anywhere
> PHYSDEV match --physdev-out tapd0191424-88
> --physdev-is-bridged /* Jump to the VM specific chain. */
> neutron-linuxbri-od0191424-8 all -- anywhere anywhere
> PHYSDEV match --physdev-in tapd0191424-88
> --physdev-is-bridged /* Jump to the VM specific chain. */
> ACCEPT all -- anywhere anywhere
>
> Chain neutron-linuxbri-sg-fallback (6 references)
> target prot opt source destination
> DROP all -- anywhere anywhere /*
> Default drop rule for unmatched traffic. */
>
> Chain nova-compute-FORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> DROP all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain nova-compute-INPUT (1 references)
> target prot opt source destination
>
> Chain nova-compute-OUTPUT (1 references)
> target prot opt source destination
>
> Chain nova-compute-local (1 references)
> target prot opt source destination
>
> Chain nova-filter-top (2 references)
> target prot opt source destination
> nova-compute-local all -- anywhere anywhere
>
> Regards,
> Manjunath
>
>
> -----Original Message-----
> From: Georgios Dimitrakakis [mailto:giorgis at acmac.uoc.gr]
> Sent: Sunday, 19 March, 2017 11:35 PM
> To: openstack at lists.openstack.org
> Subject: Re: [Openstack] DHCP Request Failed on Ocata
>
> Any ideas on this?
>
> Here are my firewall rules on Controller Node:
>
> #ALLOW ALL Compute Node
> -A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A OUTPUT -d
> $COMPUTE_NODE_IP/32 -p udp -j ACCEPT -A INPUT -s $COMPUTE_NODE_IP/32
> -p tcp -j ACCEPT -A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT
>
> #ALLOW ALL from-to Public Subnet
> -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A OUTPUT -d
> $PUBLIC_SUBNET/29 -p udp -j ACCEPT -A INPUT -s $PUBLIC_SUBNET/29 -p
> tcp -j ACCEPT -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
>
> After these more rule are following for SSH (port 22) , HTTP (port
> 80) etc.
>
>
> Repsectively on Compute Node I have
>
>
> #ALLOW ALL Controller Node
> -A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
> -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
> -A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
> -A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
>
> #ALLOW ALL from-to Public Subnet
> -A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
> -A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
> -A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
> -A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
>
>
> After these more rule are following for SSH (port 22) , HTTP (port
> 80)
> etc.
>
> where on all the above:
> The $COMPUTE_NODE_IP is the static IP address of the compute node
> The $CONTROLLER_NODE_IP is the static IP address of the controller
> node
> The $PUBLIC_SUBNET is the subnet for the public IP addresses as
> defined
> by my provider
>
>
> The above rules are on the top of my IPTABLES files immediately
> after:
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
>
> while at the very end (after all the rules) I have:
>
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> Using the above rules I believe that I have an open communication
> between the Controller, the Compute Node and the VMs.
>
> Obviously I am missing something...but what???
>
> Can someone help me or share with me its firewall rules between a
> controller and a compute node??
>
> Keeping the firewall disabled solves the problem and all VMs are
> getting IP addresses without a problem, but this is not desired.
>
> I really appreciate any help provided since I am puzzled for quiet a
> few days now with this....
>
>
> Regards,
>
>
> G.
>
>
>
>> I have also disabled completely the "firewalld" service and reverted
>> back to "iptables" service but without success.
>>
>> No matter what I do my instances cannot get a DHCP address unless
>> the
>> firewall is "stopped".
>>
>> I 've tried to add the UDP ports 67-68 on the firewall but without
>> success as well.
>> What else should I do in order to be able to have "iptables" enabled
>> for basic firewall functionality and at the same time my OpenStack
>> environment to work without a problem?
>>
>> Any ideas???
>>
>> Regards,
>>
>> G.
>>
>> On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:
>>> It causes problems for us so we uninstall and disable it on all
>>> compute nodes.
>>>
>>> yum -y remove firewalld
>>>
>>> Sent from my iPhone
>>>
>>>> On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis
>>>> <giorgis at acmac.uoc.gr> wrote:
>>>>
>>>> My problem may be due to the "firewalld" service running....
>>>>
>>>> Has anyone configured OpenStack on CentOS with Firewalld or do you
>>>> suggest to disable it?
>>>>
>>>> Best,
>>>>
>>>> G.
>>>>
>>>>> On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
>>>>> Hello!
>>>>>
>>>>> I am trying to setup a new Ocata installation following the
>>>>> official
>>>>> guide but my instances fail to get a DHCP address.
>>>>>
>>>>> I am using two physical nodes (1x controller and 1x compute) each
>>>>> one
>>>>> with two network interfaces.
>>>>> Compute node can reach the Controller node via the first
>>>>> interface
>>>>> and vice versa.
>>>>> As recommended by the manual the second interface is unnumbered.
>>>>>
>>>>> When I launch an instance I can see using "tcpdump" that the DHCP
>>>>> request reaches the second (the unnumbered) interface
>>>>> of the compute node but never reaches any other interface either
>>>>> on
>>>>> compute or controller node.
>>>>>
>>>>> Therefore I am wondering how should the instance get an IP
>>>>> address?
>>>>> What is the correct path that is followed?
>>>>>
>>>>> I have tried that using both provider and self-service networks
>>>>> and
>>>>> the result is always the same.
>>>>>
>>>>>
>>>>> Looking forward for any directions, recommendations etc.
>>>>>
>>>>>
>>>>> All the best,
>>>>>
>>>>> G.
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list:
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>> Post to : openstack at lists.openstack.org
>>>>> Unsubscribe :
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to : openstack at lists.openstack.org
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Dr. Dimitrakakis Georgios
Networks and Systems Administrator
Archimedes Center for Modeling, Analysis & Computation (ACMAC)
School of Sciences and Engineering
University of Crete
P.O. Box 2208
710 - 03 Heraklion
Crete, Greece
Tel: +30 2810 393717
Fax: +30 2810 393660
E-mail: giorgis at acmac.uoc.gr
More information about the Openstack
mailing list