Ask Your Question
0

Newton: Instances not getting IP address assigned when Firewall is on.

asked 2017-06-14 21:33:52 -0500

jbdkz100 gravatar image

I have built a test Openstack Environment, identical to the Newton install guide, on virtual servers running CentOS7, I chose networking option 2, self-service network, as explained in the guide (see link):

https://docs.openstack.org/newton/install-guide-rdo/neutron-controller-install-option2.html

My Cirros instances only get assigned a DHCP address when the CentOS7 firewall is disabled on both Controller and Compute.

NICs on both Controller and Compute are in the public zone. I have issued the following commands on both for DHCP, VXLAN ports: firewall-cmd --zone=public --add-port=53/udp --permanent firewall-cmd --zone=public --add-port=67/udp --permanent firewall-cmd --zone=public --add-port=68/udp --permanent firewall-cmd --zone=public --add-port=4789/udp --permanent firewall-cmd --zone=public --add-service=dhcp --permanent firewall-cmd --reload

In addition, I opened up all firewall ports as specified in the following link:

http://docs.openstack.org/newton/config-reference/firewalls-default-ports.html

edit retag flag offensive close merge delete

Comments

A guess: You should not use the iptables interface when the firewalld is in charge, as the daemon is unaware of rules getting changed "behind its back". As a result the daemon's actions may have unexpected effects.

OpenStack uses iptables afaik, so it's better to disable the firewalld.

Bernd Bausch gravatar imageBernd Bausch ( 2017-06-16 23:06:14 -0500 )edit
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2017-06-19 08:38:33 -0500

tkokok gravatar image

i got the same trouble, and i finally disable firewalld but using iptables

edit flag offensive delete link more
add a comment
0

answered 2017-06-17 15:57:18 -0500

jbdkz100 gravatar image

Resolved, after activating firewalld logging, I found out that the VXLAN upd port 8472 was the problem, I opened the port on both the controller and the compute node, and instances are not getting DHCP leases.

edit flag offensive delete link more

Comments

VXLAN port gets open by packstack installer automatically.
It happens via answer-file entry :-
CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT=4789 ( standard setting )

dbaxps gravatar imagedbaxps ( 2017-06-18 15:01:16 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-06-14 21:33:52 -0500

Seen: 174 times

Last updated: Jun 17 '17

Related questions

Can provider network type be changed?

Neutron network node: DHCP requests hit interface, but not dnsmasq for some tenants while ok for others

(Mitaka, SR-IOV) Possible to mix Flat and VXLAN nets on same VM?

How to connect two Openstack clusters? (multi-site configuration)

Packstack Newton configuration with VLAN interface

DHCP Discover not tunneled through OVS/GRE

No IP address allocated to VM

How to enable fwaas in openstack kilo? [closed]

Newton fwaas devstack installation verification

checking version of openstack components?