bad IP src match for compute node on non default nodegroup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Fuel for OpenStack |
New
|
Undecided
|
Unassigned |
Bug Description
Mirantis version: 7.0
Controller and Compute nodes aren't on the same Node Group. When we tried to access VNC consoles it failed.
After checking on the compute node, we found a wrong iptable rule which doesn't accept traffic from Controller MGT IP RANGE, the one from the default node group but instead the rule match on the local to compute MGT Network IP Range.
See below for the rule, 172.26.2.0/24 is the IP range of the MGT network of the non default Node Group. So instead we need 172.24.2.0/24 which is the MGT network of the default node group where the controller sits.
Chain INPUT (policy ACCEPT)
target prot opt source destination
…
ACCEPT tcp -- 172.26.2.0/24 anywhere multiport ports 5900:6100 /* 120 vnc ports */
…
DROP all -- anywhere anywhere /* 999 drop all other requests */
Great Thanks,
Sébastien Braun.
Rule which accept libvirt traffic on port 16509 could also be affected by this bug, see below.
ACCEPT tcp -- 172.26.2.0/24 anywhere multiport ports 16509 /* 118 libvirt */
But we couldn't verify if that impacted anything.