Newton: Instances not getting IP address assigned when Firewall is on.
I have built a test Openstack Environment, identical to the Newton install guide, on virtual servers running CentOS7, I chose networking option 2, self-service network, as explained in the guide (see link):
https://docs.openstack.org/newton/install-guide-rdo/neutron-controller-install-option2.html
My Cirros instances only get assigned a DHCP address when the CentOS7 firewall is disabled on both Controller and Compute.
NICs on both Controller and Compute are in the public zone. I have issued the following commands on both for DHCP, VXLAN ports: firewall-cmd --zone=public --add-port=53/udp --permanent firewall-cmd --zone=public --add-port=67/udp --permanent firewall-cmd --zone=public --add-port=68/udp --permanent firewall-cmd --zone=public --add-port=4789/udp --permanent firewall-cmd --zone=public --add-service=dhcp --permanent firewall-cmd --reload
In addition, I opened up all firewall ports as specified in the following link:
http://docs.openstack.org/newton/config-reference/firewalls-default-ports.html
A guess: You should not use the iptables interface when the firewalld is in charge, as the daemon is unaware of rules getting changed "behind its back". As a result the daemon's actions may have unexpected effects.
OpenStack uses iptables afaik, so it's better to disable the firewalld.