Hi Lars

Thanks for confirm the bug.  


the other module have same bug, like cinder.heat, glance

172.18.1.12 controller
172.18.1.13 network
172.18.1.14 compute
172.18.1.15 compute
172.18.1.16 cinder storage
172.18.1.17 heat
172.18.1.18 glance



The system "network" runs neutron-server and neutron-*-agent; the
system "controller" runs everything other than nova-compute glance and cinder, including
Horizon.

I use the newest packstack for test



# rpm -qa | grep packstack
openstack-packstack-2013.2.1-0.32.dev987.el6.noarch


After packstack finishes, the iptables rules on "cinder" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 172.18.1.14/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming 172.18.1.14" -j ACCEPT 
-A INPUT -s 172.18.1.15/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming 172.18.1.15" -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

the iptables also have no rule let horizon access the cinder.


the iptables rules on "heat" look like
this:

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

no any iptables rules. so in horizon ,can not access heat.


the iptables rules on "glance" look like
this:
# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 172.18.1.14/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming 172.18.1.14" -j ACCEPT 
-A INPUT -s 172.18.1.15/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming 172.18.1.15" -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 

also have same problem.the iptables also have no rule let horizon access the glance..

 


























On Thu, Mar 6, 2014 at 6:57 AM, Lars Kellogg-Stedman <lars@redhat.com> wrote:
On Wed, Mar 05, 2014 at 01:57:24PM +0800, Shake Chen wrote:
> I watch your mutil node video careful , use packstack run again and find
> the problem. I think is bug for RDO

I've submitted a fix for this upstream:

  https://bugs.launchpad.net/packstack/+bug/1288447

This should eventually make it into RDO.  The Red Hat bug on this
issue is here:

  https://bugzilla.redhat.com/show_bug.cgi?id=1073100

--
Lars Kellogg-Stedman <lars@redhat.com> | larsks @ irc
Cloud Engineering / OpenStack          | "   "  @ twitter




--
Shake Chen