bad IP src match for compute node on non default nodegroup

Bug #1524921 reported by planetrobbie
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
New
Undecided
Unassigned

Bug Description

Mirantis version: 7.0

Controller and Compute nodes aren't on the same Node Group. When we tried to access VNC consoles it failed.

After checking on the compute node, we found a wrong iptable rule which doesn't accept traffic from Controller MGT IP RANGE, the one from the default node group but instead the rule match on the local to compute MGT Network IP Range.

See below for the rule, 172.26.2.0/24 is the IP range of the MGT network of the non default Node Group. So instead we need 172.24.2.0/24 which is the MGT network of the default node group where the controller sits.

Chain INPUT (policy ACCEPT)
target prot opt source destination

ACCEPT tcp -- 172.26.2.0/24 anywhere multiport ports 5900:6100 /* 120 vnc ports */

DROP all -- anywhere anywhere /* 999 drop all other requests */

Great Thanks,

Sébastien Braun.

Revision history for this message
planetrobbie (sebbraun) wrote :

Rule which accept libvirt traffic on port 16509 could also be affected by this bug, see below.

ACCEPT tcp -- 172.26.2.0/24 anywhere multiport ports 16509 /* 118 libvirt */

But we couldn't verify if that impacted anything.

Revision history for this message
Michael Polenchuk (mpolenchuk) wrote :
Revision history for this message
planetrobbie (sebbraun) wrote :

duplicate, thx.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.