<div dir="ltr">Hi Lars<div><br></div><div>Thanks for confirm the bug. </div><div><br></div><div><br></div><div>the other module have same bug, like cinder.heat, glance</div><div><br></div><div>172.18.1.12 controller</div>
<div>172.18.1.13 network</div><div>172.18.1.14 compute</div><div>172.18.1.15 compute</div><div>172.18.1.16 cinder storage</div><div>172.18.1.17 heat</div><div>172.18.1.18 glance</div><div><br></div><div><br></div><div><br>
</div><div><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)">The system "network" runs neutron-server and neutron-*-agent; the
system "controller" runs everything other than nova-compute glance and cinder, including
Horizon.</pre><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)"><br></pre><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)">
<div style="color:rgb(34,34,34);font-family:arial;white-space:normal">I use the newest packstack for test</div><div style="color:rgb(34,34,34);font-family:arial;white-space:normal"><br></div><div style="color:rgb(34,34,34);font-family:arial;white-space:normal">
<div># rpm -qa | grep packstack</div><div>openstack-packstack-2013.2.1-0.32.dev987.el6.noarch</div><div><br></div><div><br></div></div></pre></div><div><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)">
After packstack finishes, the iptables rules on "cinder" look like
this:</pre><pre class="" id="comment_text_0" style="word-wrap:break-word;width:50em"># iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s <a href="http://172.18.1.14/32">172.18.1.14/32</a> -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming 172.18.1.14" -j ACCEPT
-A INPUT -s <a href="http://172.18.1.15/32">172.18.1.15/32</a> -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming 172.18.1.15" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited<br></pre><pre class="" id="comment_text_0" style="word-wrap:break-word;width:50em"><font color="#000000"><span style="white-space:pre-wrap"><br></span></font></pre>
</div><div>the iptables also have no rule let horizon access the cinder.</div><div><br></div><div><br></div><div><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)">
the iptables rules on "heat" look like
this:</pre></div><div><br></div><div><div># iptables -S</div><div>-P INPUT ACCEPT</div><div>-P FORWARD ACCEPT</div><div>-P OUTPUT ACCEPT</div><div>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT </div><div>-A INPUT -p icmp -j ACCEPT </div>
<div>-A INPUT -i lo -j ACCEPT </div><div>-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT </div><div>-A INPUT -j REJECT --reject-with icmp-host-prohibited </div><div>-A FORWARD -j REJECT --reject-with icmp-host-prohibited</div>
</div><div><br></div><div>no any iptables rules. so in horizon ,can not access heat.</div><div><br></div><div><br></div><div><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)">
the iptables rules on "glance" look like
this:</pre></div><div><div># iptables -S</div><div>-P INPUT ACCEPT</div><div>-P FORWARD ACCEPT</div><div>-P OUTPUT ACCEPT</div><div>-A INPUT -s <a href="http://172.18.1.14/32">172.18.1.14/32</a> -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming 172.18.1.14" -j ACCEPT </div>
<div>-A INPUT -s <a href="http://172.18.1.15/32">172.18.1.15/32</a> -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming 172.18.1.15" -j ACCEPT </div><div>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT </div>
<div>-A INPUT -p icmp -j ACCEPT </div><div>-A INPUT -i lo -j ACCEPT </div><div>-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT </div><div>-A INPUT -j REJECT --reject-with icmp-host-prohibited </div><div>-A FORWARD -j REJECT --reject-with icmp-host-prohibited </div>
</div><div><br></div><div>also have same problem.the iptables also have no rule let horizon access the glance..</div><div><br></div><div> <br></div><div><pre class="" id="comment_text_0" style="white-space:pre-wrap;word-wrap:break-word;width:50em;color:rgb(0,0,0)">
<br></pre></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div>
<div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Mar 6, 2014 at 6:57 AM, Lars Kellogg-Stedman <span dir="ltr"><<a href="mailto:lars@redhat.com" target="_blank">lars@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Wed, Mar 05, 2014 at 01:57:24PM +0800, Shake Chen wrote:<br>
> I watch your mutil node video careful , use packstack run again and find<br>
> the problem. I think is bug for RDO<br>
<br>
</div>I've submitted a fix for this upstream:<br>
<br>
<a href="https://bugs.launchpad.net/packstack/+bug/1288447" target="_blank">https://bugs.launchpad.net/packstack/+bug/1288447</a><br>
<br>
This should eventually make it into RDO. The Red Hat bug on this<br>
issue is here:<br>
<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1073100" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1073100</a><br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Lars Kellogg-Stedman <<a href="mailto:lars@redhat.com">lars@redhat.com</a>> | larsks @ irc<br>
Cloud Engineering / OpenStack | " " @ twitter<br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Shake Chen<br><br>
</div>