Ask Your Question
0

Icehouse - FWaaS - can't RDP in instance

asked 2014-12-05 03:49:40 -0500

rahuk gravatar image

Hey Guys,

I have a problem with FWaaS in Openstack Icehouse! All works fine until I make a Firewall. Then i can't rdp in a instance. SSH is working! When i do a telnet on port 3389 and then a rdp it works .... Without Firewall it works, too.

I use Ubuntu 14.04 with Icehouse

  • 3* Controller with the Openstack Services
  • 1* L3-Network-Node 2
  • 2* Comute-Nodes

The Image is a Windows Server 2012 R2

Here the Configuration of the Controller:

cat /etc/neutron/neutron.conf | grep -v "^#" | grep -v "^$"

[DEFAULT]
Use_namespaces=True
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_password = password
rabbit_userid = openstack_rabbit_user
rabbit_hosts = 10.250.0.51:5672,10.250.0.52:5672
rabbit_retry_interval=1
rabbit_retry_backoff=2
rabbit_max_retries=0
rabbit_durable_queues=false
rabbit_ha_queues=true
auth_strategy = keystone
bind_host = 10.250.0.31
neutron_url = http://10.250.0.60:9696
vif_plugging_is_fatal = false
vif_plugging_timeout = 0
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://10.250.0.60:8774/v2
nova_admin_username = nova
nova_admin_tenant_id = 2e9345a82f2d4340b92d7a158a1e9350
nova_admin_password = password
nova_admin_auth_url = http://10.250.0.60:35357/v2.0
allow_overlapping_ips = True
verbose = true
debug = false
state_path = /var/lib/neutron
lock_path = $state_path/lock
log_dir =/var/log/openstack
dhcp_agent_notification = True
control_exchange = neutron
notification_driver = neutron.openstack.common.notifier.rpc_notifier
agent_down_time = 200
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
core_plugin = ml2
service_plugins = router,firewall
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
[quotas]
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
report_interval = 100
[keystone_authtoken]
auth_uri = http://10.250.0.60:5000
auth_host = 10.250.0.60
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = password
signing_dir = $state_path/keystone-signing
[database]
connection = mysql://neutron:password@10.250.0.60/neutron

and here of the L3-Network-Node:

cat /etc/neutron/neutron.conf | grep -v "^#" | grep -v "^$"

[DEFAULT]
use_namespaces=True
metadata_proxy_shared_secret = password
use_namespaces=True
verbose = True
debug = True
state_path = /var/lib/neutron
lock_path = $state_path/lock
core_plugin = ml2
service_plugins = router,firewall
control_exchange = neutron
allow_overlapping_ips = True
auth_strategy = keystone
rpc_backend = neutron.openstack.common.rpc.impl_kombu
notification_driver = neutron.openstack.common.notifier.rpc_notifier
rabbit_password = password
rabbit_userid = openstack_rabbit_user
rabbit_hosts = 10.250.0.51:5672,10.250.0.52:5672
rabbit_retry_interval=1
rabbit_retry_backoff=2
rabbit_max_retries=0
rabbit_durable_queues=false
rabbit_ha_queues=true
agent_down_time = 200
report_interval = 100
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[keystone_authtoken]
auth_uri = http://10.250.0.60:5000
auth_host = 10.250.0.60
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = password
signing_dir = $state_path/keystone-signing
[database]
connection = mysql://neutron:password@10.250.0.60/neutron

cat fwaas_driver.ini

[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True

On the Compute Node there are nothing with Firewall configured:

cat /etc/neutron/neutron.conf | grep -v "^#" | grep -v "^$"

[DEFAULT]
verbose = True
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_password = password
rabbit_userid = openstack_rabbit_user
rabbit_hosts = 10.250.0.51:5672,10.250.0.52:5672
rabbit_retry_interval=1
rabbit_retry_backoff=2
rabbit_max_retries=0
rabbit_durable_queues=false
rabbit_ha_queues=true
auth_strategy = keystone
bind_host = 10.250 ...
(more)
edit retag flag offensive close merge delete

Comments

please let us know the security groups rules?

SGPJ gravatar imageSGPJ ( 2014-12-05 09:44:06 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-12-05 12:07:27 -0500

rahuk gravatar image

updated 2014-12-09 08:18:30 -0500

Hey and thanks for your answers !

The security group is open for all TCP UDP and icmp !

# nova secgroup-list-rules f2b2addb-7571-410c-9820-035eaff91bbb
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
|             |           |         |           | default      |
| tcp         | 1         | 65535   |           | default      |
|             |           |         |           | default      |
| udp         | 3389      | 3389    |           | default      |
| tcp         | 1         | 65535   | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

Maybe any one can say me the correct configuration? How to configure the Compute-Node, the L3-Network-Node and the Controller ?

# neutron agent-list
+--------------------------------------+--------------------+------------------+-------+----------------+
| id                                   | agent_type         | host           | alive | admin_state_up |
+--------------------------------------+--------------------+------------------+-------+----------------+
| 05532817-ebc2-42a4-863f-c11764b06a9a | Open vSwitch agent | ComputeNode1-I | :-)   | True           |
| 572347f4-7b3d-48c7-afe2-db4b93ff208f | DHCP agent         | L3-Node1-I     | :-)   | True           |
| 7f459224-3474-4a31-99b3-6b1689001030 | L3 agent           | L3-Node-1-I    | :-)   | True           |
| 89849d6c-50aa-4385-a4e4-8bdc3d13cb3e | Open vSwitch agent | ComputeNode2-I | :-)   | True           |
| a37dc24d-3cfe-4407-80f6-910e5185be74 | Open vSwitch agent | L3-Node1-I     | :-)   | True           |
| dd8d19d0-5e93-40f5-b3c4-35823b098ea3 | Metadata agent     | L3-Node1-I     | :-)    | True           |
+--------------------------------------+--------------------+------------------+-------+----------------+

I belive its only a miss configuration, the official documentation Docu says not where to configure this settings :(

How do you configure the FWaaS?!

Thanks for any hints !

Regards Rahuk

edit flag offensive delete link more

Comments

The security groups are ok! When I disable the FWaaS it will work without problems!

rahuk gravatar imagerahuk ( 2014-12-06 01:06:56 -0500 )edit
-1

answered 2014-12-05 09:30:26 -0500

alexpilotti gravatar image

Did you allow port 3389 (RDP) on your security groups?

See: http://docs.openstack.org/user-guide/...

e.g.:

nova secgroup-add-rule default tcp 3389 3389 0.0.0.0/0
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-12-05 03:49:40 -0500

Seen: 473 times

Last updated: Dec 09 '14