Ask Your Question
0

Newton: Instances not getting IP address assigned when Firewall is on.

asked 2017-06-14 21:33:52 -0500

jbdkz100 gravatar image

I have built a test Openstack Environment, identical to the Newton install guide, on virtual servers running CentOS7, I chose networking option 2, self-service network, as explained in the guide (see link):

https://docs.openstack.org/newton/install-guide-rdo/neutron-controller-install-option2.html

My Cirros instances only get assigned a DHCP address when the CentOS7 firewall is disabled on both Controller and Compute.

NICs on both Controller and Compute are in the public zone. I have issued the following commands on both for DHCP, VXLAN ports: firewall-cmd --zone=public --add-port=53/udp --permanent firewall-cmd --zone=public --add-port=67/udp --permanent firewall-cmd --zone=public --add-port=68/udp --permanent firewall-cmd --zone=public --add-port=4789/udp --permanent firewall-cmd --zone=public --add-service=dhcp --permanent firewall-cmd --reload

In addition, I opened up all firewall ports as specified in the following link:

http://docs.openstack.org/newton/config-reference/firewalls-default-ports.html

edit retag flag offensive close merge delete

Comments

A guess: You should not use the iptables interface when the firewalld is in charge, as the daemon is unaware of rules getting changed "behind its back". As a result the daemon's actions may have unexpected effects.

OpenStack uses iptables afaik, so it's better to disable the firewalld.

Bernd Bausch gravatar imageBernd Bausch ( 2017-06-16 23:06:14 -0500 )edit
add a comment

2 answers

Sort by ยป oldest newest most voted
0

answered 2017-06-19 08:38:33 -0500

tkokok gravatar image

i got the same trouble, and i finally disable firewalld but using iptables

edit flag offensive delete link more
add a comment
0

answered 2017-06-17 15:57:18 -0500

jbdkz100 gravatar image

Resolved, after activating firewalld logging, I found out that the VXLAN upd port 8472 was the problem, I opened the port on both the controller and the compute node, and instances are not getting DHCP leases.

edit flag offensive delete link more

Comments

VXLAN port gets open by packstack installer automatically.
It happens via answer-file entry :-
CONFIG_NEUTRON_OVS_VXLAN_UDP_PORT=4789 ( standard setting )

dbaxps gravatar imagedbaxps ( 2017-06-18 15:01:16 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-06-14 21:33:52 -0500

Seen: 217 times

Last updated: Jun 17 '17

Related questions

Neutron network node: DHCP requests hit interface, but not dnsmasq for some tenants while ok for others

Can provider network type be changed?

VxLAN tenant network with multi node KVM computes

Unauthorized access using Fuel 11 [closed]

How does Neutron DHCP decide to issue an IP?

Newton Gnocchi and Ceilometer Error [closed]

[newton] ceilometer-api cgi-bin path

Cannot ping VM in internal network

Mirantis Fuel KVM migration causes DNS to fail

Problem connecting external host to vxlan