Pike: no auto-generated firewall rules on node. Chains nova-* and neutron-* are missing.

asked 2018-04-24 12:10:46 -0500

full_moon gravatar image

updated 2018-05-02 07:56:19 -0500

Openstack (Pike) is running with 6 compute nodes and one controller. Centos 7 is installed on all servers.

Nova and Neutron are running fine on 3 compute nodes.

On the other three nodes, when I start Nova and Neutron services both of them start without error but privsep is not running and no error logged.

Thus, iptables is not configured and ressources can't be allocated on those physical servers. Nova.conf and neutron.conf are identical on all compute nodes

[root@node1 nova]# systemctl start openstack-nova-compute.service
[root@node1 nova]# systemctl status -l openstack-nova-compute.service
● openstack-nova-compute.service - OpenStack Nova Compute Server
   Loaded: loaded (/usr/lib/systemd/system/openstack-nova-compute.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2018-04-24 10:41:19 CEST; 13s ago
 Main PID: 3822829 (nova-compute)
   CGroup: /system.slice/openstack-nova-compute.service
           └─3822829 /usr/bin/python2 /usr/bin/nova-compute

avr 24 10:41:15 node1 systemd[1]: Starting OpenStack Nova Compute Server...
avr 24 10:41:19 node1 systemd[1]: Started OpenStack Nova Compute Server.


[root@node1 nova]# ps -ef | grep nova
nova     3822829       1  6 10:41 ?        00:00:05 /usr/bin/python2 /usr/bin/nova-compute
root     3823029 3817406  0 10:42 pts/0    00:00:00 grep --color=auto nova


[root@node1 nova]# ps -ef | grep neutron
neutron  3824601       1 99 10:47 ?        00:00:01 /usr/bin/python2 /usr/bin/neutron-linuxbridge-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-linuxbridge-agent --log-file /var/log/neutron/linuxbridge-agent.log


[root@node1 nova]# systemctl status -l neutron-linuxbridge-agent.service
● neutron-linuxbridge-agent.service - OpenStack Neutron Linux Bridge Agent
   Loaded: loaded (/usr/lib/systemd/system/neutron-linuxbridge-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since mar 2018-04-24 10:57:53 CEST; 2min 36s ago
  Process: 3824594 ExecStartPre=/usr/bin/neutron-enable-bridge-firewall.sh (code=exited, status=0/SUCCESS)
 Main PID: 3824601 (neutron-linuxbr)
   CGroup: /system.slice/neutron-linuxbridge-agent.service
           ├─3824601 /usr/bin/python2 /usr/bin/neutron-linuxbridge-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/linuxbridge_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-linuxbridge-agent --log-file /var/log/neutron/linuxbridge-agent.log
           ├─3824623 sudo neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
           └─3824624 /usr/bin/python2 /usr/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
avr 24 10:57:53 node1 systemd[1]: Starting OpenStack Neutron Linux Bridge Agent...
avr 24 10:57:53 node1 neutron-enable-bridge-firewall.sh[3824594]: net.bridge.bridge-nf-call-iptables = 1
avr 24 10:57:53 node1 neutron-enable-bridge-firewall.sh[3824594]: net.bridge.bridge-nf-call-ip6tables = 1
avr 24 10:57:53 node1 systemd[1]: Started OpenStack Neutron Linux Bridge Agent.
avr 24 10:57:54 node1 neutron-linuxbridge-agent[3824601]: Guru meditation now registers SIGUSR1 and SIGUSR2 by default for backward compatibility. SIGUSR1 will no longer be registered in a future release, so please use SIGUSR2 to generate reports.
avr 24 10:57:55 node1 sudo[3824623]:  neutron : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/neutron-rootwrap-daemon /etc/neutron/rootwrap.conf
avr 24 10 ...
(more)
edit retag flag offensive close merge delete