devstack

Multinode setups with CentOS 8 block won't work due to traffic being blocked

Bug #1898065 reported by Daniel Alvarez
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
devstack
Expired
Undecided
Unassigned

Bug Description

Right now, if we deploy a multinode setup with devstack, we'll see that the traffic between nodes it's going to be dropped.

The reason is default iptables rules added by iptables-service who's enabled here [0].

After we do this, the following rules are installed in the INPUT chain:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
   10 664 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- any any anywhere anywhere
    0 0 ACCEPT all -- lo any anywhere anywhere
    0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
    0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited

The last REJECT rule will prevent services to communicate across hosts so we must disable this.

For reference, this is the default firewall configuration on a CentOS8 machine:

$ sudo cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

[0] https://opendev.org/openstack/devstack/src/branch/master/tools/fixup_stuff.sh#L132-L135

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (master)

Fix proposed to branch: master
Review: https://review.opendev.org/755554

Changed in devstack:
assignee: nobody → Daniel Alvarez (dalvarezs)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on devstack (master)

Change abandoned by "Dr. Jens Harbott <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/devstack/+/755554
Reason: Feel free to reopen if you want to continue with this

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Patch didn't make progress, feel free to update if this is still relevant.

Changed in devstack:
assignee: Daniel Alvarez (dalvarezs) → nobody
status: In Progress → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for devstack because there has been no activity for 60 days.]

Changed in devstack:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.