openstack-manuals

CentOS + Icehouse + Neutron guide does not support SecurityGroup

Bug #1359691 reported by Hyun-wook Baek
268
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
High
Matt Kassawara

Bug Description

I have spent considerable time to resolve this problem.
My setup is CentOS 6.5 (Linux 2.6.32-358.123.2.openstack.e16.x86_64),
and I tried the OpenStack installation guide refreshed on July 22, 2014.

I followed everything from the manual
except changing Message Queue from Qpid to RabbitMQ.

Everything looked working fine for the first time, but soon I found Security Group Rules did not take effect at all - what ever security rules I set up, Neutron was allowing any kind of packets. More weird thing was that the Iptables were properly updated whenever there was any change on security group rules.

Simply speaking, packets going to and coming from virtual machines were totally bypassing iptables rules, which are the incarnations of Security Group Rules.

Finally, I tried iptable TRACE and tcpdump on each interface and found iptables rules do not take effect on TAP devices.

I resolved this by setting net.bridge.bridge-nf-call-iptables=1 manually in compute node (i.e. sudo sysctl -w net.bridge.bridge-nf-call-iptables=1)

I could not find this from bug list.
Please let me know there is any proper way to resolve this problem,
it is ongoing issue,
or some new bug.

Also, let me know if you need any further information.

-----------------------------------
Built: 2014-08-09T05:18:43 00:00
git SHA: 9d0abbfa0b29c68c9e4b4728032197274eabf860
URL: http://docs.openstack.org/icehouse/install-guide/install/yum/content/neutron-ml2-compute-node.html
source File: file:/home/jenkins/workspace/openstack-manuals-tox-doc-publishdocs/doc/install-guide/section_neutron-ml2-compute-node.xml
xml:id: neutron-ml2-compute-node

Hyun-wook Baek (heavenly0xe8)
information type: Private Security → Public Security
Revision history for this message
Phil Hopkins (phil-hopkins-a) wrote :

Can you post your nova config and neutron config files? Are you using ml2? if so you ml2 config file.

Revision history for this message
Matt Kassawara (ionosphere80) wrote :

Distributions usually set this kernel parameter to 1 by default. Did you install vanilla CentOS or use a version with potential modifications?

Changed in openstack-manuals:
status: New → Incomplete
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

I verified that the kernel bridge module enables the net.bridge.* parameters and by default sets them as follows:

net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-filter-pppoe-tagged = 0

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openstack-manuals because there has been no activity for 60 days.]

Changed in openstack-manuals:
status: Incomplete → Expired
Revision history for this message
Alex Leonhardt (aleonhardt-py) wrote :

Hi,

we found this to be the same case when using vlans -- the default for

net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-filter-pppoe-tagged = 0

is 0 in my sysctl.conf .. this also is Centos 6.5 .

I've compared this against several other (non compute nodes also) hosts, and they're all set to 0 by default.

It works after setting the above in sysctl.conf and run sysctl -p

Alex

Changed in openstack-manuals:
status: Expired → Incomplete
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

I'm not sure if/why CentOS 6.x changed the default values for these options, but we should probably add them to the list of options to configure in the sysctl.conf file on the network and compute nodes.

Changed in openstack-manuals:
status: Incomplete → Confirmed
importance: Undecided → Medium
importance: Medium → High
Revision history for this message
Matt Kassawara (ionosphere80) wrote :

So far, I don't think this issue impacts CentOS 7 with Juno.

Changed in openstack-manuals:
status: Confirmed → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/161798

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (stable/icehouse)

Reviewed: https://review.openstack.org/161798
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=d6618529b088f1b0053acf25db3942c5510fbcba
Submitter: Jenkins
Branch: stable/icehouse

commit d6618529b088f1b0053acf25db3942c5510fbcba
Author: Matthew Kassawara <email address hidden>
Date: Thu Mar 5 11:24:25 2015 -0600

    Configure additional kernel/sysctl options

    Explicitly configure additional kernel/sysctl options after
    changes to default values in RHEL/CentOS 6.5 disable implementation
    of security groups (iptables) on Linux bridges.

    Change-Id: I4ed3cec03a1b3a7d56dfe18394154ec1b2db6791
    Closes-Bug: #1359691

tags: added: in-stable-icehouse
Matt Kassawara (ionosphere80)
Changed in openstack-manuals:
status: Triaged → Fix Released
assignee: nobody → Matt Kassawara (ionosphere80)
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.