tripleo

Undercloud - masquerades the defaults 192.168.24.0/24 and 10.0.0.0/24 always.

Bug #1794729 reported by Harald Jensås on 2018-09-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Harald Jensås	tripleo stein-2

Bug Description

MasqueradeNetworks: parameter only container 172.20.x.x networks. But masquerading is still enabled for 10.0.0.0/24 and 192.168.24.0/24. The latter are the defaults in THT/environments/services/masquerade-networks.yaml

We should'nt always masquerade the defaults.

Chain POSTROUTING (policy ACCEPT 3006K packets, 180M bytes)
pkts bytes target prot opt in out source destination
    0 0 RETURN all -- any any 10.0.0.0/24 10.0.0.0/24 state NEW,RELATED,ESTABLISHED /* 137 routed_network return 10.0.0.0/24 ipv4 */
2985K 179M RETURN all -- any any 172.20.0.0/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED /* 137 routed_network return 172.20.0.0/26 ipv4 */
    0 0 RETURN all -- any any 172.20.0.128/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED /* 137 routed_network return 172.20.0.128/26 ipv4 */
    0 0 RETURN all -- any any 172.20.0.64/26 172.20.0.0/26 state NEW,RELATED,ESTABLISHED /* 137 routed_network return 172.20.0.64/26 ipv4 */
    0 0 RETURN all -- any any 192.168.24.0/24 192.168.24.0/24 state NEW,RELATED,ESTABLISHED /* 137 routed_network return 192.168.24.0/24 ipv4 */
    0 0 MASQUERADE all -- any any 10.0.0.0/24 anywhere state NEW,RELATED,ESTABLISHED /* 138 routed_network masquerade 10.0.0.0/24 ipv4 */
   49 2860 MASQUERADE all -- any any 172.20.0.0/26 anywhere state NEW,RELATED,ESTABLISHED /* 138 routed_network masquerade 172.20.0.0/26 ipv4 */
    0 0 MASQUERADE all -- any any 172.20.0.128/26 anywhere state NEW,RELATED,ESTABLISHED /* 138 routed_network masquerade 172.20.0.128/26 ipv4 */
    0 0 MASQUERADE all -- any any 172.20.0.64/26 anywhere state NEW,RELATED,ESTABLISHED /* 138 routed_network masquerade 172.20.0.64/26 ipv4 */
    0 0 MASQUERADE all -- any any 192.168.24.0/24 anywhere state NEW,RELATED,ESTABLISHED /* 138 routed_network masquerade 192.168.24.0/24 ipv4 */

(undercloud) [stack@leafs ~]$ cat tripleo-config-generated-env-files/undercloud_parameters.yaml
parameter_defaults:
  CertmongerCA: local
  CloudName: 172.20.0.3
  ContainerImagePrepare:
  - set:
      ceph_image: daemon
      ceph_namespace: docker.io/ceph
      ceph_tag: v3.0.3-stable-3.0-luminous-centos-7-x86_64
      name_prefix: centos-binary-
      name_suffix: ''
      namespace: docker.io/tripleomaster
      neutron_driver: null
      openshift_base_image: origin
      openshift_cockpit_image: kubernetes
      openshift_cockpit_namespace: docker.io/cockpit
      openshift_cockpit_tag: latest
      openshift_etcd_image: etcd
      openshift_etcd_namespace: registry.fedoraproject.org/latest
      openshift_etcd_tag: latest
      openshift_gluster_block_image: glusterblock-provisioner
      openshift_gluster_image: gluster-centos
      openshift_gluster_namespace: docker.io/gluster
      openshift_gluster_tag: latest
      openshift_heketi_image: heketi
      openshift_heketi_namespace: docker.io/heketi
      openshift_heketi_tag: latest
      openshift_namespace: docker.io/openshift
      openshift_tag: v3.9.0
      tag: current-tripleo
    tag_from_label: rdo_version
  ControlPlaneStaticRoutes:
  - ip_netmask: 172.20.0.64/26
    next_hop: 172.20.0.62
  - ip_netmask: 172.20.0.128/26
    next_hop: 172.20.0.62
  Debug: true
  DeploymentUser: stack
  DnsServers: 172.20.0.254
  DockerInsecureRegistryAddress:
  - 172.20.0.1:8787
  - 172.20.0.2:8787
  EnableValidations: true
  IronicAutomatedClean: false
  IronicEnabledBootInterfaces:
  - ilo-pxe
  - pxe
  IronicEnabledHardwareTypes:
  - idrac
  - ilo
  - ipmi
  - redfish
  IronicEnabledManagementInterfaces:
  - fake
  - idrac
  - ilo
  - ipmitool
  - noop
  - redfish
  IronicEnabledPowerInterfaces:
  - fake
  - idrac
  - ilo
  - ipmitool
  - redfish
  IronicEnabledRaidInterfaces:
  - idrac
  - no-raid
  IronicEnabledVendorInterfaces:
  - idrac
  - ipmitool
  - no-vendor
  IronicIPXEEnabled: true
  IronicInspectorCollectors: default,extra-hardware,numa-topology,logs
  IronicInspectorDiscoveryDefaultDriver: ipmi
  IronicInspectorEnableNodeDiscovery: true
  IronicInspectorIPXEEnabled: true
  IronicInspectorInterface: br-ctlplane
  IronicInspectorKernelArgs: ipa-debug=1 ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1
  IronicInspectorSubnets:
  - gateway: 172.20.0.62
    ip_range: 172.20.0.20,172.20.0.29
    netmask: 255.255.255.192
    tag: ctlplane-subnet
  - gateway: 172.20.0.126
    ip_range: 172.20.0.100,172.20.0.109
    netmask: 255.255.255.192
    tag: leaf1
  - gateway: 172.20.0.190
    ip_range: 172.20.0.160,172.20.0.169
    netmask: 255.255.255.192
    tag: leaf2
  LocalContainerRegistry: 172.20.0.1
  MasqueradeNetworks:
    172.20.0.0/26:
    - 172.20.0.0/26
    - 172.20.0.64/26
    - 172.20.0.128/26
    172.20.0.128/26:
    - 172.20.0.0/26
    - 172.20.0.64/26
    - 172.20.0.128/26
    172.20.0.64/26:
    - 172.20.0.0/26
    - 172.20.0.64/26
    - 172.20.0.128/26
  NeutronDnsDomain: localdomain
  NeutronPublicInterface: eth1
  NovaSchedulerMaxAttempts: 3
  NtpServer: 0.se.pool.ntp.org
  SELinuxMode: enforcing
  UndercloudCtlplaneLocalSubnet: ctlplane-subnet
  UndercloudCtlplaneSubnets:
    ctlplane-subnet:
      DhcpRangeEnd: 172.20.0.19
      DhcpRangeStart: 172.20.0.10
      NetworkCidr: 172.20.0.0/26
      NetworkGateway: 172.20.0.62
    leaf1:
      DhcpRangeEnd: 172.20.0.99
      DhcpRangeStart: 172.20.0.90
      NetworkCidr: 172.20.0.64/26
      NetworkGateway: 172.20.0.126
    leaf2:
      DhcpRangeEnd: 172.20.0.159
      DhcpRangeStart: 172.20.0.150
      NetworkCidr: 172.20.0.128/26
      NetworkGateway: 172.20.0.190
  UndercloudEnableRoutedNetworks: true
  UndercloudHomeDir: /home/stack
  UndercloudLocalMtu: 1500
  UpgradeRemoveUnusedPackages: false

Michele Baldessari (michele) on 2018-09-27

summary:

- Undercloud - masquerades the defauls 192.168.24.0/24 and 10.0.0.0/24
+ Undercloud - masquerades the defaults 192.168.24.0/24 and 10.0.0.0/24
always.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-11: Related fix proposed to tripleo-quickstart-extras (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/609830

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-11: Change abandoned on tripleo-quickstart-extras (master)

Change abandoned by Harald Jensås (<email address hidden>) on branch: master
Review: https://review.openstack.org/609830
Reason: Hm, not sure it's the masquerade rule we want.
Could it be the RETURN rule, to ensure we do not masquerade. I.e route, but no NAT?

These are the interfaces on the undercloud in OVB job [1]:

    inet 192.168.100.13/22 brd 192.168.103.255 scope global dynamic eth0
    inet 192.168.24.1/24 brd 192.168.24.255 scope global br-ctlplane
    inet 192.168.24.3/32 scope global br-ctlplane
    inet 192.168.24.2/32 scope global br-ctlplane

These are the POSTROUTING rules:

-A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "137 routed_network return 10.0.0.0/24 ipv4" -j RETURN
-A POSTROUTING -s 192.168.24.0/24 -d 192.168.24.0/24 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "137 routed_network return 192.168.24.0/24 ipv4" -j RETURN
-A POSTROUTING -s 10.0.0.0/24 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "138 routed_network masquerade 10.0.0.0/24 ipv4" -j MASQUERADE
-A POSTROUTING -s 192.168.24.0/24 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "138 routed_network masquerade 192.168.24.0/24 ipv4" -j MASQUERADE

err ... to late. Will have to look again tomorrow.

[1] https://logs.rdoproject.org/57/607557/10/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset053/befa75a/logs/undercloud/var/log/extra/network.txt.gz

Changed in tripleo:
assignee:	nobody → Harald Jensås (harald-jensas)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-11: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609845

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-10-30

Changed in tripleo:
milestone:	stein-1 → stein-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-15: Related fix merged to tripleo-quickstart-extras (master)

Reviewed: https://review.openstack.org/609830
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart-extras/commit/?id=3758dbf364d4f031079b3038be1bc278ef399d99
Submitter: Zuul
Branch: master

commit 3758dbf364d4f031079b3038be1bc278ef399d99
Author: Harald Jensås <email address hidden>
Date: Mon Oct 15 15:15:37 2018 +0200

OVB - external network masquerading

    Change I4b956e8be92f1b7a71579d04c7e41c20da7ffdfa removes
    the default masqurading in the masquerade-network
    service environment.

    Because OVB jobs use the undercloud as the router for
    the external network, the undercloud must forward and
    masquerade traffic on this network.

    This change uses the hieradata override to add masquerading
    for both the undercloud ctlplane network (192.168.24.0/24)
    as well as the External (10.0.0.0/24) network.

Related-Bug: #1794729
Change-Id: I11b325458517334f97fc5f4754b4b39efff3a3f3

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-11-15: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/609845
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=bf72e3636eed44f87408d58788e9411d9ddaced5
Submitter: Zuul
Branch: master

commit bf72e3636eed44f87408d58788e9411d9ddaced5
Author: Harald Jensås <email address hidden>
Date: Thu Oct 11 23:01:01 2018 +0200

Remove defaults from masquerade-networks service env

    Don't always masquerade these defaults, masquerading
    should only happen to the ctlplane subnets defined
    in undercloud.conf if masquerading is true.

    Closes-Bug: #1794729
    Depends-On: I11b325458517334f97fc5f4754b4b39efff3a3f3
    Change-Id: I4b956e8be92f1b7a71579d04c7e41c20da7ffdfa

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-04: Fix included in openstack/tripleo-heat-templates 10.2.0

This issue was fixed in the openstack/tripleo-heat-templates 10.2.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.