Port TCP 16509 is not allowed in compute firewall which breaks instance live migration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
James Slagle |
Bug Description
Live migration of instance fails with:
2016-10-20 18:29:41.470 9410 ERROR nova.virt.
Version-Release number of selected component (if applicable):
openstack-
How reproducible:
100%
Steps to Reproduce:
1. Deploy overcloud with 2 compute nodes
2. Live migrate instance from one host to another
Actual results:
Live migration fails with the following error in /var/log/
2016-10-20 18:29:41.470 9410 ERROR nova.virt.
Expected results:
Additional info:
From source to destination:
[heat-admin@
Ncat: No route to host.
On the destination host:
[heat-admin@
Ncat: Broken pipe.
iptables rules:
[heat-admin@
Chain INPUT (policy ACCEPT)
target prot opt source destination
neutron-
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 000 accept related established rules */ state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 /* 001 accept all icmp */ state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* 002 accept all to lo interface */ state NEW
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 /* 003 accept ssh */ state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 123 /* 105 ntp */ state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 4789 /* 118 neutron vxlan networks */ state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 161 /* 127 snmp */ state NEW
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0 /* 136 neutron gre networks */ state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
LOG all -- 0.0.0.0/0 0.0.0.0/0 /* 998 log all */ LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* 999 drop all */ state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
neutron-filter-top all -- 0.0.0.0/0 0.0.0.0/0
neutron-
Chain neutron-filter-top (2 references)
target prot opt source destination
neutron-
Chain neutron-
target prot opt source destination
neutron-
neutron-
Chain neutron-
target prot opt source destination
neutron-
Chain neutron-
target prot opt source destination
Chain neutron-
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN udp -- 172.16.19.11 0.0.0.0/0 udp spt:67 udp dpt:68
RETURN udp -- 172.16.19.10 0.0.0.0/0 udp spt:67 udp dpt:68
RETURN udp -- 172.16.19.12 0.0.0.0/0 udp spt:67 udp dpt:68
RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
RETURN icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-
Chain neutron-
target prot opt source destination
Chain neutron-
target prot opt source destination
RETURN udp -- 0.0.0.0 255.255.255.255 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
neutron-
RETURN udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67 /* Allow DHCP client traffic. */
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:67 udp dpt:68 /* Prevent DHCP Spoofing by VM. */
RETURN all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Direct packets associated with a known session to the RETURN chain. */
RETURN all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID /* Drop packets that appear related to an existing connection (e.g. TCP ACK/FIN) but do not have an entry in conntrack. */
neutron-
Chain neutron-
target prot opt source destination
RETURN all -- 172.16.19.19 0.0.0.0/0 MAC FA:16:3E:E1:CC:59 /* Allow traffic from defined IP/MAC pairs. */
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* Drop traffic without an IP/MAC allow rule. */
Chain neutron-
target prot opt source destination
neutron-
neutron-
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain neutron-
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 /* Default drop rule for unmatched traffic. */
tcp port 16509 should be opened for libvirt live migration per: docs.openstack. org/admin- guide/compute- configuring- migrations. html
http://