4 RHEL Pre-Installation Checks #
When provisioning a Red Hat compute node, you should be aware of the below issues and take any appropriate steps for your environmnet.
4.1 Sample iptables rules must be removed on Red Hat #
SUSE OpenStack Cloud 9 uses iptables to secure access to Cloud Lifecycle Manager network
interfaces and on Red Hat this requires the package
iptables-services to be installed. The package will
provide sample iptables configurations for IPv4 and IPv6 if none existed
before. This sample configuration is inappropriate for SUSE OpenStack Cloud operation
and the node will not be able to run SUSE OpenStack Cloud with these rules installed.
The files installed are:
/etc/sysconfig/iptables/etc/sysconfig/ip6tables
If these files do not exist on the candidate Red Hat systems, the rest of this note may be skipped. However, if these files do exist, there are a number of steps that you must follow before you install SUSE OpenStack Cloud 9.
The default contents of these two files are displayed here for reference:
/etc/sysconfig/iptables
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
/etc/sysconfig/ip6tables
# sample configuration for ip6tables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT
By default, these rules are applied to network traffic on all interfaces on the system, whereas SUSE OpenStack Cloud components and OpenStack components manage interface-specific rules. With reference to the security policies that you may require for your environment, it is essential that you either:
Delete the files
/etc/sysconfig/iptablesand/etc/sysconfig/ip6tablesso that they do not interfere with the new rules that will be applied during the SUSE OpenStack Cloud installation.Or, if certain rules are necessary in your environment, ensure that any remaining rules are limited to interfaces not used by SUSE OpenStack Cloud.
If these files existed on your system, and did contain content, the corresponding rules are currently installed and active on the system. Once you delete these two files (or edit them to limit the rules to interfaces not used by SUSE OpenStack Cloud), you will need to reboot the system to activate the new settings.
4.2 Cobbler Support Removed #
Cobbler support for deploying Red Hat Enterprise Linux compute nodes has been removed. Use your normal Red Hat Enterprise Linux deployment tools instead of the deprecated Cobbler support.