Ask Your Question
0

How do I access Horizon from remote browser

asked 2018-11-14 17:38:18 -0500

ChristinaS gravatar image

Hello,

I have installed Devstack (rocky) on available hardware in our Lab environment on RHEL7.5 OS. I have worked through the install and the stack.sh completes successfully. I can access the dashboard via Firefox in Gnome on the server itself, but I can not access it from a web browser on a jump server or any other system on the same subnet. Any assistance someone could provide would be greatly appreciated.

The 10.10.10.63 is a /24 network.
The interface responds to ssh from servers on the same subnet and accross the WAN. I'm sure this is a simple question that has been asked many times, but I'm not finding it here .

  [[local|localrc]]
  ADMIN_PASSWORD=tisasecret
  DATABASE_PASSWORD=$ADMIN_PASSWORD
  RABBIT_PASSWORD=$ADMIN_PASSWORD
  SERVICE_PASSWORD=$ADMIN_PASSWORD
  GIT_BASE=${GIT_BASE:-https://git.openstack.org}
  enable_service h-eng h-api h-api-cfn h-api-cw
  enable_plugin heat https://git.openstack.org/openstack/heat
  FLOATING_RANGE=10.10.10.64/27
  HOST_IP=10.10.10.63
  FLAT_INTERFACE=eth0

Thank you, Christina

Love being the noob

edit retag flag offensive close merge delete

Comments

Centos has a strict firewall by default and only accepts ICMP packets (ping) and TCP port 22 (ssh). Any other attempts to connect are simply ignored. Did you open port 80 in that server's firewall ?

Bernd Bausch gravatar imageBernd Bausch ( 2018-11-14 21:08:36 -0500 )edit

Thank you for your response. I had forgotten to mention that selinux and firewalld were explicity disabled during the install, but your response got me thinking I should check iptables, and sure enough, I think I see it now. Makes sense, a filter on the virtual bridge.

ChristinaS gravatar imageChristinaS ( 2018-11-14 22:02:22 -0500 )edit

1 answer

Sort by » oldest newest most voted
0

answered 2018-11-14 22:04:42 -0500

ChristinaS gravatar image

I will have to brush up on my iptable skills in the morning they are a bit rusty - but it looks like I need to add an accept on the virtual bridge.

[stack@ostackserver devstack]$ sudo sestatus
SELinux status:                 disabled
[stack@ostackserver devstack]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
[stack@ostackserver devstack]$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
1570K 1260M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 5743  345K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
   48  2544 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 1349K packets, 316M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
[stack@ostackserver devstack]$
edit flag offensive delete link more

Comments

Did you install devstack on the server or a VM on that server?

In the first case, your rules accept packets from established connections, ICMP packets, packets coming from lo, and port 22. Anything else is rejected. This would explain your problem.

In the latter case, I don’t see the VM’s rules.

Bernd Bausch gravatar imageBernd Bausch ( 2018-11-14 22:51:06 -0500 )edit

This instance is installed and built on baremetal server. Our Lab vCenter is still under construction. I'm not sure if devstack is the appropriate bundle to be using, none of this is done on workstation virtualization. Seemed like a decent starting point as I get familiar with the documentation.

ChristinaS gravatar imageChristinaS ( 2018-11-15 07:46:00 -0500 )edit

Devstack is OK to start playing with OpenStack. Another option is Packstack.

I would copy this rule: 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 and replace 22 with 80.

Bernd Bausch gravatar imageBernd Bausch ( 2018-11-15 08:39:43 -0500 )edit

Thank you for the recommendation Bernd, I will take a look @Packstack. I also found this, we have no plans to be running anything using libvirt networking as described in the document: https://docs.openstack.org/newton/networking-guide/misc-libvirt.html (https://docs.openstack.org/newton/net...) So I'm going to explore this avenue as well.

ChristinaS gravatar imageChristinaS ( 2018-11-16 11:13:19 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2018-11-14 17:38:18 -0500

Seen: 77 times

Last updated: Nov 14 '18