Installing the Nova Controller Services in OpenStack Installation Guide for Red Hat Enterprise Linux, CentOS, and Fedora  - havana - metapackage is bad

Bug #1241981 reported by Tom Fifield
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
Critical
Tom Fifield

Bug Description

using the metapackage on the controller installs networking components that setup the firewall, which prevents the install from working unmodified on centos 6.4 currently

-----------------------------------
Built: 2013-10-19T20:29:06 11:00
git SHA: 72e7b0d2097131cf35e355ee0003ed9cbb1085d5
URL: file:///home/fifieldt/temp/os-doc-fixcentos/doc/install-guide/target/docbkx/webhelp/local/install-guide/install/yum/content/nova-controller.html
source File: file:/home/fifieldt/temp/os-doc-fixcentos/doc/install-guide/section_nova-controller.xml
xml:id: nova-controller

Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → High
milestone: none → havana
tags: added: install-guide
Revision history for this message
Lana (loquacity) wrote :

Tom: trying to confirm if this and +bug/1245668 are related. Does changing SELinux to permissive fix this issue for you?

Thanks,
Lana

Revision history for this message
Tom Fifield (fifieldt) wrote :

Hi Lana,

Thanks for the attention.

In this case, SELinux doesn't change things. Essentially, installing using the metapackage pulls in nova-network, which starts to change the iptables, bridging/routing and dnsmasq configuration. Ideally, this wouldn't happen as nova-network is not needed on the controller, and these changes complicate things - preventing for example the mysql database being accessed by the compute nodes.

Revision history for this message
Tom Fifield (fifieldt) wrote :

I have confirmed this bug on scientific linux 6.

The use of the openstack-nvoa metapackage on the controller installs nova-networking components which set up a firewall that prevent access from compute nodes to the qpidd on the controller.

Changed in openstack-manuals:
importance: High → Critical
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

I haven't experienced this problem with SL 6. However, I disable the default restrictive firewall before installing OpenStack. I see the 'openstack-nova-network' package installed and listed as a service in 'chkconfig', but not configured to start on boot. Here's the output from 'iptables -S' on my controller:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N nova-api-FORWARD
-N nova-api-INPUT
-N nova-api-OUTPUT
-N nova-api-local
-N nova-filter-top
-A INPUT -j nova-api-INPUT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -j nova-filter-top
-A FORWARD -j nova-api-FORWARD
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j nova-filter-top
-A OUTPUT -j nova-api-OUTPUT
-A nova-api-INPUT -d 172.24.247.54/32 -p tcp -m tcp --dport 8775 -j ACCEPT
-A nova-filter-top -j nova-api-local

Revision history for this message
Tom Fifield (fifieldt) wrote :

OK, so the problem here is not necessarily the firewall manipulation by nova, but the default restrictive firewall in centos/sl/rhel

Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: Confirmed → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/65187

Changed in openstack-manuals:
assignee: nobody → Tom Fifield (fifieldt)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/65187
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=60cfb9879c37d0fe1d5fb7fbb1cce472d32c0ce9
Submitter: Jenkins
Branch: master

commit 60cfb9879c37d0fe1d5fb7fbb1cce472d32c0ce9
Author: Tom Fifield <email address hidden>
Date: Tue Jan 7 09:22:45 2014 +0800

    Add a note about restrictive firewall on rhel

    RHEL/Centos/SL has a restrictive firewall by default, which
    if left in an unaltered state prevents compute nodes from
    talking to the controller (and therefore and unsuccessful
    installation)

    Since changing this is very basic sysadmin practice, just add
    a small warning.

    Change-Id: I5d564f612aaa6e7b14892bef79538dd3e387bfc9
    Closes-Bug: 1241981

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.