Bug 1273129

Summary: installer should open port 4789 in iptables if not using firewalld
Product: OpenShift Container Platform Reporter: Erik M Jacobs <ejacobs>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED CURRENTRELEASE QA Contact: Ma xiaoqiang <xiama>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.1.0CC: aos-bugs, danw, jokerman, mmccomas, sdodson, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-20 15:42:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Erik M Jacobs 2015-10-19 17:12:05 UTC 
Description of problem:
If using the sdn and not using firewalld, after the installer finishes port 4789 udp is not open. This prevents the SDN from working.

Depending on an upcoming kubernetes rebase, we may be able to just turn on firewalld and make this work... but if we're trying to be "intelligent" about any kind of detection we probably need to open this port.
Comment 2 Scott Dodson 2015-10-19 17:26:03 UTC 
Fix is in https://github.com/openshift/openshift-ansible/pull/704

To test checkout openshift-ansible master then
git pull https://github.com/sdodson/openshift-ansible sdn-iptables
Comment 3 Ma xiaoqiang 2015-10-20 05:04:42 UTC 
The '4789' port is opened by openshift in 3.0.x. Is there any change in 3.1? If the openshift will not open this port in 3.1, QE will check the PR.
thx
Comment 4 Scott Dodson 2015-10-20 13:00:10 UTC 
It didn't seem to be opening it on its own with the latest puddle. I'm not certain if my test environment had it opened via other means prior to the latest puddle or what.
Comment 5 Scott Dodson 2015-10-20 13:10:30 UTC 
Was this a change in behavior from 3.0 codebases? See comment #3.
Comment 6 Dan Winship 2015-10-20 13:43:28 UTC 
In 3.1, openshift only adds the firewall-poking-through rules if firewalld is running; since the ansible setup creates a firewall but doesn't use firewalld, things get messed up.

(It might be nice if openshift always added a rule, but it can't actually do that generically [because there's no standard organization of iptables rules, so it needs to understand the existing rules in order to know where to add its new rule], and it's basically just a coincidence that the rule it was added for firewalld also worked with the ansible firewall rules.)
Comment 7 Ma xiaoqiang 2015-10-21 06:05:37 UTC 
The PR works fine. 

vim /etc/sysconfig/iptables
<--snip-->
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 4789 -j ACCEPT
COMMIT