Ceph

Saw this on Ken's centos vms, but it sounds like the same issue may occur on suse. The default OS install adds a reject rule to iptables that rejects everything but ssh. With the reject rule in place on the node running the monitor, this causes clients (connecting from a separate node) to fail with a timeout error when trying to mount. This is what the iptables look like before the rule is removed:

[root@rhelvm1 qauser]# iptables L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all - anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Removing the rule with:

iptables -D INPUT 5

resolves the client connect issue. This should be documented somewhere for centos (and maybe suse) users, with the right changes to iptables (instead of the one above) to poke a hole specifically for ceph traffic, and continuing to reject everything else.