Bug 1273294

Summary: Can not deploy pod after installation
Product: OpenShift Container Platform Reporter: Ma xiaoqiang <xiama>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED UPSTREAM QA Contact: Ma xiaoqiang <xiama>
Severity: high Docs Contact:
Priority: high    
Version: 3.1.0CC: akostadi, aos-bugs, jialiu, jokerman, mmccomas, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-27 19:15:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ma xiaoqiang 2015-10-20 07:23:56 UTC 
Description of problem:
Can not deploy pod after installation


Version-Release number of selected component (if applicable):
puddle [3.1/2015-10-17.1]

How reproducible:
100%


Steps to Reproduce:
1. Create router after installation


Actual results:
Fail to create router 

# oc logs docker-registry-1-deploy
F1019 21:50:21.768259       1 deployer.go:64] couldn't get deployment default/docker-registry-1: Get https://openshift-149.lab.eng.nay.redhat.com:8443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp: lookup openshift-149.lab.eng.nay.redhat.com: no such host




Expected results:
Should deploy pod successfully.

Additional info:
QE check the iptable rules as following:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
OS_FIREWALL_ALLOW  all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2379
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2380
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:4001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:24224
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:24224
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2224
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:5404
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:5405
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255


workaround:
Flush iptable rules using "iptables -F", re-deploy router successfully.
Comment 1 Scott Dodson 2015-10-20 14:24:58 UTC 
Possibly a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1273129 I don't see udp 4789 in your iptables dump above.
Comment 2 Ma xiaoqiang 2015-10-21 08:10:38 UTC 
QE install env with opening '4789' port, this issue still exist.

Not only the 4789 port, QE try to add the following rules, then can deploy the pod successfully.
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -j ACCEPT
Comment 3 Johnny Liu 2015-10-27 10:36:38 UTC 
After run "iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited" from initial iptable, pod is deployed successfully.
Comment 4 Scott Dodson 2015-10-27 19:15:06 UTC 

*** This bug has been marked as a duplicate of bug 1273659 ***