openstack-manuals

Installing the Nova Controller Services in OpenStack Installation Guide for Red Hat Enterprise Linux, CentOS, and Fedora - havana - metapackage is bad

Bug #1241981 reported by Tom Fifield on 2013-10-19

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openstack-manuals	Fix Released	Critical	Tom Fifield	openstack-manuals havana

Bug Description

using the metapackage on the controller installs networking components that setup the firewall, which prevents the install from working unmodified on centos 6.4 currently

-----------------------------------
Built: 2013-10-19T20:29:06 11:00
git SHA: 72e7b0d2097131cf35e355ee0003ed9cbb1085d5
URL: file:///home/fifieldt/temp/os-doc-fixcentos/doc/install-guide/target/docbkx/webhelp/local/install-guide/install/yum/content/nova-controller.html
source File: file:/home/fifieldt/temp/os-doc-fixcentos/doc/install-guide/section_nova-controller.xml
xml:id: nova-controller

Tags:

Tom Fifield (fifieldt) on 2013-10-23

Changed in openstack-manuals:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → havana

Andreas Jaeger (jaegerandi) on 2013-11-08

tags:

added: install-guide

Revision history for this message

Lana (loquacity) wrote on 2013-11-11:

#1

Tom: trying to confirm if this and +bug/1245668 are related. Does changing SELinux to permissive fix this issue for you?

Thanks,
Lana

Revision history for this message

Tom Fifield (fifieldt) wrote on 2013-11-11:

#2

Hi Lana,

Thanks for the attention.

In this case, SELinux doesn't change things. Essentially, installing using the metapackage pulls in nova-network, which starts to change the iptables, bridging/routing and dnsmasq configuration. Ideally, this wouldn't happen as nova-network is not needed on the controller, and these changes complicate things - preventing for example the mysql database being accessed by the compute nodes.

Revision history for this message

Tom Fifield (fifieldt) wrote on 2014-01-06:

#3

I have confirmed this bug on scientific linux 6.

The use of the openstack-nvoa metapackage on the controller installs nova-networking components which set up a firewall that prevent access from compute nodes to the qpidd on the controller.

Changed in openstack-manuals:
importance:	High → Critical

Revision history for this message

Matt Kassawara (ionosphere80) wrote on 2014-01-06:

#4

I haven't experienced this problem with SL 6. However, I disable the default restrictive firewall before installing OpenStack. I see the 'openstack-nova-network' package installed and listed as a service in 'chkconfig', but not configured to start on boot. Here's the output from 'iptables -S' on my controller:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 172.24.247.54/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

Revision history for this message

Tom Fifield (fifieldt) wrote on 2014-01-07:

#5

OK, so the problem here is not necessarily the firewall manipulation by nova, but the default restrictive firewall in centos/sl/rhel

Tom Fifield (fifieldt) on 2014-01-07

Changed in openstack-manuals:
status:	Confirmed → Triaged

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-07: Fix proposed to openstack-manuals (master)

#6

Fix proposed to branch: master
Review: https://review.openstack.org/65187

Changed in openstack-manuals:
assignee:	nobody → Tom Fifield (fifieldt)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-01-07: Fix merged to openstack-manuals (master)

#7

Reviewed: https://review.openstack.org/65187
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=60cfb9879c37d0fe1d5fb7fbb1cce472d32c0ce9
Submitter: Jenkins
Branch: master

commit 60cfb9879c37d0fe1d5fb7fbb1cce472d32c0ce9
Author: Tom Fifield <email address hidden>
Date: Tue Jan 7 09:22:45 2014 +0800

Add a note about restrictive firewall on rhel

    RHEL/Centos/SL has a restrictive firewall by default, which
    if left in an unaltered state prevents compute nodes from
    talking to the controller (and therefore and unsuccessful
    installation)

Since changing this is very basic sysadmin practice, just add
a small warning.

Change-Id: I5d564f612aaa6e7b14892bef79538dd3e387bfc9
Closes-Bug: 1241981

Changed in openstack-manuals:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix included in openstack/openstack-manuals 15.0.0

#8

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.