Revision history [back]

click to hide/show revision 1
initial version

Icehouse - FWaaS - can't RDP in instance

Hey Guys,

I have a problem with FWaaS in Openstack Icehouse! All works fine until I make a Firewall. Then i can't rdp in a instance. SSH is working! When i do a telnet on port 3389 and then a rdp it works .... Without Firewall it works, too.

I use Ubuntu 14.04 with Icehouse

  • 3* Controller with the Openstack Services
  • 1* L3-Network-Node 2
  • 2* Comute-Nodes

The Image is a Windows Server 2012 R2

Here the Configuration of the Controller:

cat /etc/neutron/neutron.conf | grep -v "^#" | grep -v "^$"

[DEFAULT]
Use_namespaces=True
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_password = password
rabbit_userid = openstack_rabbit_user
rabbit_hosts = 10.250.0.51:5672,10.250.0.52:5672
rabbit_retry_interval=1
rabbit_retry_backoff=2
rabbit_max_retries=0
rabbit_durable_queues=false
rabbit_ha_queues=true
auth_strategy = keystone
bind_host = 10.250.0.31
neutron_url = http://10.250.0.60:9696
vif_plugging_is_fatal = false
vif_plugging_timeout = 0
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://10.250.0.60:8774/v2
nova_admin_username = nova
nova_admin_tenant_id = 2e9345a82f2d4340b92d7a158a1e9350
nova_admin_password = password
nova_admin_auth_url = http://10.250.0.60:35357/v2.0
allow_overlapping_ips = True
verbose = true
debug = false
state_path = /var/lib/neutron
lock_path = $state_path/lock
log_dir =/var/log/openstack
dhcp_agent_notification = True
control_exchange = neutron
notification_driver = neutron.openstack.common.notifier.rpc_notifier
agent_down_time = 200
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
core_plugin = ml2
service_plugins = router,firewall
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
[quotas]
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
report_interval = 100
[keystone_authtoken]
auth_uri = http://10.250.0.60:5000
auth_host = 10.250.0.60
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = password
signing_dir = $state_path/keystone-signing
[database]
connection = mysql://neutron:password@10.250.0.60/neutron

and here of the L3-Network-Node:

cat /etc/neutron/neutron.conf | grep -v "^#" | grep -v "^$"

[DEFAULT]
use_namespaces=True
metadata_proxy_shared_secret = password
use_namespaces=True
verbose = True
debug = True
state_path = /var/lib/neutron
lock_path = $state_path/lock
core_plugin = ml2
service_plugins = router,firewall
control_exchange = neutron
allow_overlapping_ips = True
auth_strategy = keystone
rpc_backend = neutron.openstack.common.rpc.impl_kombu
notification_driver = neutron.openstack.common.notifier.rpc_notifier
rabbit_password = password
rabbit_userid = openstack_rabbit_user
rabbit_hosts = 10.250.0.51:5672,10.250.0.52:5672
rabbit_retry_interval=1
rabbit_retry_backoff=2
rabbit_max_retries=0
rabbit_durable_queues=false
rabbit_ha_queues=true
agent_down_time = 200
report_interval = 100
[service_providers]
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[keystone_authtoken]
auth_uri = http://10.250.0.60:5000
auth_host = 10.250.0.60
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = password
signing_dir = $state_path/keystone-signing
[database]
connection = mysql://neutron:password@10.250.0.60/neutron

cat fwaas_driver.ini

[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True

On the Compute Node there are nothing with Firewall configured:

cat /etc/neutron/neutron.conf | grep -v "^#" | grep -v "^$"

[DEFAULT]
verbose = True
rpc_backend = neutron.openstack.common.rpc.impl_kombu
rabbit_password = password
rabbit_userid = openstack_rabbit_user
rabbit_hosts = 10.250.0.51:5672,10.250.0.52:5672
rabbit_retry_interval=1
rabbit_retry_backoff=2
rabbit_max_retries=0
rabbit_durable_queues=false
rabbit_ha_queues=true
auth_strategy = keystone
bind_host = 10.250.0.60
neutron_url = http://10.250.0.60:9696
notify_nova_on_port_status_changes = True
notify_nova_on_port_data_changes = True
nova_url = http://10.250.0.60:8774/v2
nova_admin_username = nova
nova_admin_tenant_id = 2e9345a82f2d4340b92d7a158a1e9350
nova_admin_password = password
nova_admin_auth_url = http://10.250.0.60:35357/v2.0
send_events_interval = 2
core_plugin = ml2
service_plugins = router
allow_overlapping_ips = True
verbose = False
debug = False
state_path = /var/lib/neutron
lock_path = $state_path/lock
bind_host = 10.250.0.21
bind_port = 9696
control_exchange = neutron
dhcp_agent_notification = True 
[quotas]
[agent]
root_helper = sudo /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[keystone_authtoken]
auth_uri = http://10.250.0.60:5000
auth_host = 10.250.0.60
auth_protocol = http
auth_port = 35357
admin_tenant_name = service
admin_user = neutron
admin_password = password
signing_dir = $state_path/keystone-signing
[database]
connection = mysql://neutron:password@10.250.0.60/neutron

Is the configuration correct? Only on the 3 Controller and the L3-Network-Node and not on the Compute-Node

Here my Workaround:

# rdp 10.113.102.18
ERROR: recv: Die Verbindung wurde vom Kommunikationspartner zur├╝ckgesetzt
^C
# telnet 10.113.102.18 3389
Trying 10.113.102.18...
Connected to 10.113.102.18.
Escape character is '^]

# rdp 10.113.102.18  <-- Now it will work for 1-2 minutes / the connection is stable until i disconnect ...

In a Tenant without a Firewall it works fine!

Where I can find the logs for the FWaas ? Have anyone a Idea?

In the moment i will test the Windows Server 2012 R2 Std Eval from http://www.cloudbase.it/ maybe it will work .....

thanks for any help !

Regards, rahuk