Openstack as a Cloud Provider? FW Requirements?


#1

I am implementing Cloudforms 4.1 at a customer site, we have 4 virtual appliances (web, db, x2 workers), everything deployed fine but when adding their Redhat Openstack as a Cloud provider I ran into an issue. Cloudforms is deployed in a DMZ and they have opened up port 443 to the Openstack environment.
We are able to validate and add the OS cloud, the issue is the Registry information is staying grayed out, we don’t see any instances or images for example. We are connect via Ceilometer - I turned the fog log on and I can only see the following:
fog.log: [----] E, [2015-03-05T19:20:16.844842 #28320:977e94]
ERROR – : #Excon::Error::Timeout: connect_write timeout reached>

Questions: Do we need to open up port 13000 on the firewall to obtain this info into CF?
Someone also mentioned port - 13808.

My only other idea is they are not exposing the required API via the overcloud and only the undercloud and only via the private SDN layer.

Any help or ideas would be great.


#2

Here is the output of - keystone endpoint-list

+----------------------------------+-----------+---------------------------------------------------+-------------------------------------------------+---------------------------------------------+----------------------------------+
|                id                |   region  |                     publicurl                     |                   internalurl                   |                   adminurl                  |            service_id            |
+----------------------------------+-----------+---------------------------------------------------+-------------------------------------------------+---------------------------------------------+----------------------------------+
| 36cf9045406e4002b2ecad0c290ddcb1 | regionOne |            https://209.29.216.10:13696/           |            http://192.168.1.11:9696/            |          http://192.168.1.11:9696/          | c7e5523fd21448f6bbdfaba24a9e6c1a |
| 3dbdc05137ce4a6d9823f4367d2a2e63 | regionOne |    https://209.29.216.10:13004/v1/%(tenant_id)s   |    http://192.168.1.11:8004/v1/%(tenant_id)s    |  http://192.168.1.11:8004/v1/%(tenant_id)s  | c0b01e6078404e3bb36acaaeaa71a960 |
| 45ce083a3ec9427c81d68b0a8df9219d | regionOne |          https://209.29.216.10:13000/v2.0         |          http://192.168.1.11:5000/v2.0          |        http://192.168.0.57:35357/v2.0       | 0fb24daefe3042e0a1c0a55daa06e09f

#3
|
| 4ea41d078877455f987bc014ae24e652 | regionOne | https://209.29.216.10:13808/v1/AUTH_%(tenant_id)s | http://10.127.229.50:8080/v1/AUTH_%(tenant_id)s |         http://10.127.229.50:8080/v1        | 93d8862193ac4216a8a320596bb8ce80 |
| 8dfa614be48446f4b99c8be1b3da3a6c | regionOne |            https://209.29.216.10:13292/           |            http://10.127.229.50:9292/           |          http://10.127.229.50:9292/         | 8ba180ae13974287861a5b1973461a97 |
| 9e59b729c8544a058fdaf5dbdf7b890d | regionOne |    https://209.29.216.10:13776/v2/%(tenant_id)s   |    http://192.168.1.11:8776/v2/%(tenant_id)s    |  http://192.168.1.11:8776/v2/%(tenant_id)s  |

#4

This is the section that is staying grayed out


#5

Have you checked evm.log, it usually states there what’s causing the timeout. I usually have a Timeout error with CF when one of my Openstack services is not running or is not configured correctly, try validating that also.

Have you contacted RH Support? Usually there are able to help you with these things.


#6

I did not see anything special in the evmlog, I also found this that I am going to try - [Solved] Excon::Errors::Timeout - I have a feeling it is trying to hit the undercloud and not the over - the under is on a private network.


#7

I check this and it looks like this is already set on cloudforms 4.1
def self.raw_connect(username, password, auth_url, service = “Compute”, extra_opts = nil)
opts = {
:provider => ‘OpenStack’,
:openstack_auth_url => auth_url,
:openstack_username => username,
:openstack_api_key => password,
:openstack_endpoint_type => ‘publicURL’,

I am hoping this is firewall related…


#8

For anyone who runs into this issue you need to following opened on the firewall.
TCP_13000, TCP_13696, TCP_13773, TCP_13774, TCP_13775, TCP_13357, TCP_13080, TCP_13292, TCP_13385, TCP_13800, TCP_13003, TCP_13004, TCP_13808,TCP_13776, TCP_13777

I could not find any document with these ports, we had to tail the firewall and see what was being blocked…

Kyle