OpenStack Nova Compute Proxy Charm

neutron OVS and GRE networking needs firewalld rule added

Bug #1641077 reported by bugproxy on 2016-11-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Nova Compute Proxy Charm	Fix Released	Medium	Unassigned
	Ubuntu on IBM z Systems	Fix Released	Medium	Unassigned

Bug Description

Juju deployed OpenStack environment with nova-compute-proxy charm managing z/KVM needs to disable firewalld as part of it's installation and configuration.

Deploy information:
# juju --version
2.0.1-xenial-s390x

juju deploy cs:~openstack-charmers-next/nova-compute-proxy-3

# cat /etc/system-release
KVM for IBM z Systems release 1.1.3-beta4.3 (Z)

---uname output---
Linux zs93k24 4.4.0-40.60.el7_2.kvmibm1_1_3.2.s390x #1 SMP Tue Oct 18 14:41:51 EDT 2016 s390x s390x s390x GNU/Linux

Machine Type = z13 s390x 2964 (z/KVM)

---Debugger---
A debugger is not configured

---Steps to Reproduce---
1. Deploy neutron networking environment with z/KVM compute node, openvswitch, and GRE, provider and tenant networks.
2. Deploy instance - DHCP requests reach the virtual router, and return offer packets are dropped at the GRE tunnel.
3. Stop firewalld - traffic is okay.

Userspace tool common name: juju

Userspace rpm: firewalld.noarch 0.3.9-14.el7_2.ibm.1 @frobisher

The userspace tool has the following bit modes: 64

Userspace tool obtained from project website: na

Tags:

bugproxy (bugproxy) on 2016-11-11

tags:	added: architecture-s39064 bugnameltc-148508 severity-critical targetmilestone-inin---
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → openstack (Ubuntu)

bugproxy (bugproxy) on 2016-11-15

tags:

added: targetmilestone-inin16041
removed: targetmilestone-inin---

Ryan Beisner (1chb1n) on 2016-11-15

Changed in openstack (Ubuntu):
status:	New → Invalid

Revision history for this message

bugproxy (bugproxy) wrote on 2016-11-16: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-11-16 08:51 EDT-------
Rather than stopping firewalld (which is acceptable for a workaround test) the firewall rules should be updated to allow GRE tunneled traffic. For more details please see
https://www.ibm.com/support/knowledgecenter/SSNW54_1.1.2/com.ibm.kvm.v112.admin/GREtunnels.htm

This should be added to the proxy charm.

Kind regards,
Marco (mpavone)

Vance Morris (vmorris) on 2016-11-16

summary:

- neutron OVS and GRE networking needs firewalld stopped
+ neutron OVS and GRE networking needs firewalld rule added

Revision history for this message

bugproxy (bugproxy) wrote on 2016-11-16:

------- Comment From <email address hidden> 2016-11-16 10:38 EDT-------
Quite right Marco, thanks for the link.

[root@zs93k24 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p gre -j ACCEPT
success

I applied this command to the nova compute node and GRE traffic is passing as expected with firewalld running.

James Page (james-page) on 2016-11-17

no longer affects:

openstack (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2016-11-22:

------- Comment From <email address hidden> 2016-11-17 10:16 EDT-------
@Canonical: Please add some documentation to the charm at least, or at best
perhaps the proxy charm can add the firewall rule if GRE tunnels are in use.
Please provide which approach Canonical is looking for to close this LP.
Many thanks in advance

Revision history for this message

bugproxy (bugproxy) wrote on 2016-11-22:

------- Comment From <email address hidden> 2016-11-22 11:25 EDT-------
*** Bug 148505 has been marked as a duplicate of this bug. ***

Frank Heimes (fheimes) on 2016-11-29

tags:

added: openstack-ibm

Ryan Beisner (1chb1n) on 2016-11-29

tags:

added: s390x uosci

James Page (james-page) on 2016-12-12

Changed in charm-nova-compute-proxy:
status:	New → Triaged
importance:	Undecided → Medium

bugproxy (bugproxy) on 2017-01-24

tags:

added: severity-high
removed: severity-critical

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-15: Fix merged to charm-nova-compute-proxy (master)

Reviewed: https://review.openstack.org/504070
Committed: https://git.openstack.org/cgit/openstack/charm-nova-compute-proxy/commit/?id=8854d867fd9f05acf2527c4256f08dae6bd3db43
Submitter: Jenkins
Branch: master

commit 8854d867fd9f05acf2527c4256f08dae6bd3db43
Author: Andrew McLeod <email address hidden>
Date: Thu Sep 14 16:50:09 2017 +0200

Allow gre through firewalld with one liner

Change-Id: I43c47dc1d91db5082f24ebc762590cbf2d3452ab
Closes-Bug: 1641077

Changed in charm-nova-compute-proxy:
status:	Triaged → Fix Committed

Revision history for this message

Andrew McLeod (admcleod) wrote on 2017-09-15:

I've implemented a fix and it has been merged, so it's ready for testing externally

Frank Heimes (fheimes) on 2017-09-15

Changed in ubuntu-z-systems:
importance:	Undecided → Medium
status:	New → Fix Committed

Revision history for this message

Frank Heimes (fheimes) wrote on 2017-10-16:

can be set to Fix Released after discussion with IBM

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released
Changed in charm-nova-compute-proxy:
status:	Fix Committed → Fix Released

Revision history for this message

bugproxy (bugproxy) wrote on 2017-10-16: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2017-10-16 08:33 EDT-------
IBM Bugzilla status -> closed, Fix Released by Canonical

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.