Ask Your Question
0

Newton: Instances not getting IP address assigned when Firewall is on.

asked 2017-06-14 21:33:52 -0500

jbdkz100 gravatar image

I have built a test Openstack Environment, identical to the Newton install guide, on virtual servers running CentOS7, I chose networking option 2, self-service network, as explained in the guide (see link):

https://docs.openstack.org/newton/install-guide-rdo/neutron-controller-install-option2.html

My Cirros instances only get assigned a DHCP address when the CentOS7 firewall is disabled on both Controller and Compute.

NICs on both Controller and Compute are in the public zone. I have issued the following commands on both for DHCP, VXLAN ports: firewall-cmd --zone=public --add-port=53/udp --permanent firewall-cmd --zone=public --add-port=67/udp --permanent firewall-cmd --zone=public --add-port=68/udp --permanent firewall-cmd --zone=public --add-port=4789/udp --permanent firewall-cmd --zone=public --add-service=dhcp --permanent firewall-cmd --reload

In addition, I opened up all firewall ports as specified in the following link:

http://docs.openstack.org/newton/config-reference/firewalls-default-ports.html

edit retag flag offensive close merge delete

Comments

A guess: You should not use the iptables interface when the firewalld is in charge, as the daemon is unaware of rules getting changed "behind its back". As a result the daemon's actions may have unexpected effects.

OpenStack uses iptables afaik, so it's better to disable the firewalld.

Bernd Bausch gravatar imageBernd Bausch ( 2017-06-16 23:06:14 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2017-06-19 08:38:33 -0500

tkokok gravatar image

i got the same trouble, and i finally disable firewalld but using iptables

edit flag offensive delete link more
0

answered 2017-06-17 15:57:18 -0500

jbdkz100 gravatar image

Resolved, after activating firewalld logging, I found out that the VXLAN upd port 8472 was the problem, I opened the port on both the controller and the compute node, and instances are not getting DHCP leases.

edit flag offensive delete link more

Comments

VXLAN port gets open by packstack installer automatically.
It happens via answer-file entry :-
CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT=4789 ( standard setting )

dbaxps gravatar imagedbaxps ( 2017-06-18 15:01:16 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-06-14 21:33:52 -0500

Seen: 227 times

Last updated: Jun 17 '17