Re: [Openstack] DHCP Request Failed on Ocata

Sun, 19 Mar 2017 08:41:49 -0700 

Any ideas on this?

Here are my firewall rules on Controller Node:

#ALLOW ALL Compute Node
-A INPUT -s $COMPUTE_NODE_IP/32 -p udp -j ACCEPT
-A OUTPUT -d $COMPUTE_NODE_IP/32 -p udp -j ACCEPT
-A INPUT -s $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT
-A OUTPUT -d $COMPUTE_NODE_IP/32 -p tcp -j ACCEPT

#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
After these more rule are following for SSH (port 22) , HTTP (port 80) etc. 


Repsectively on Compute Node I have


#ALLOW ALL Controller Node
-A INPUT -s $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p udp -j ACCEPT
-A INPUT -s $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT
-A OUTPUT -d $CONTROLLER_NODE_IP/32 -p tcp -j ACCEPT

#ALLOW ALL from-to Public Subnet
-A INPUT -s $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p udp -j ACCEPT
-A INPUT -s $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
-A OUTPUT -d $PUBLIC_SUBNET/29 -p tcp -j ACCEPT
After these more rule are following for SSH (port 22) , HTTP (port 80) etc. 

where on all the above:
The $COMPUTE_NODE_IP is the static IP address of the compute node
The $CONTROLLER_NODE_IP is the static IP address of the controller node
The $PUBLIC_SUBNET is the subnet for the public IP addresses as defined by my provider 


The above rules are on the top of my IPTABLES files immediately after:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

while at the very end (after all the rules) I have:

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Using the above rules I believe that I have an open communication between the Controller, the Compute Node and the VMs. 

Obviously I am missing something...but what???
Can someone help me or share with me its firewall rules between a controller and a compute node??
Keeping the firewall disabled solves the problem and all VMs are getting IP addresses without a problem, but this is not desired.
I really appreciate any help provided since I am puzzled for quiet a few days now with this.... 


Regards,


G.




I have also disabled completely the "firewalld" service and reverted
back to "iptables" service but without success.

No matter what I do my instances cannot get a DHCP address unless the
firewall is "stopped".

I 've tried to add the UDP ports 67-68 on the firewall but without
success as well.
What else should I do in order to be able to have "iptables" enabled
for basic firewall functionality and at the same time my OpenStack
environment to work without a problem?

Any ideas???

Regards,

G.

On Mon, 13 Mar 2017 19:37:41 -0400, Mohammed Naser wrote:

It causes problems for us so we uninstall and disable it on all
compute nodes.

yum -y remove firewalld

Sent from my iPhone
On Mar 13, 2017, at 5:58 PM, Georgios Dimitrakakis <gior...@acmac.uoc.gr> wrote: 

My problem may be due to the "firewalld" service running....
Has anyone configured OpenStack on CentOS with Firewalld or do you suggest to disable it? 

Best,

G.


On Sat, 11 Mar 2017 21:28:51 +0200, Georgios Dimitrakakis wrote:
Hello!
I am trying to setup a new Ocata installation following the official 
guide but my instances fail to get a DHCP address.
I am using two physical nodes (1x controller and 1x compute) each one 
with two network interfaces.
Compute node can reach the Controller node via the first interface
and vice versa.
As recommended by the manual the second interface is unnumbered.

When I launch an instance I can see using "tcpdump" that the DHCP
request reaches the second (the unnumbered) interface
of the compute node but never reaches any other interface either on 
compute or controller node.
Therefore I am wondering how should the instance get an IP address? 
What is the correct path that is followed?
I have tried that using both provider and self-service networks and 
the result is always the same.


Looking forward for any directions, recommendations etc.


All the best,

G.

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack 



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to