Bug 1386329

Summary: [3.4] Installer creating rules/opening up ports in iptables that are not needed.
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: InstallerAssignee: Russell Teague <rteague>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, jokerman, mmccomas, rteague
Target Milestone: ---   
Target Release: 3.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The common/openshift-master/config.yml playbook was configured to add several iptables rules by default. Consequence: Several ports were opened in the firewall which were not necessary for default deployments. Fix: The common/openshift-master/config.yml playbook was updated to remove the unneeded rules as well as adding logic to only open ports required for etcd when ectd was an embedded install. Result: Reduced the number of open ports for default installs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-31 21:10:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ryan Howe 2016-10-18 16:42:38 UTC 
Description of problem:

The anisble installer is adding iptable rules to the masters that are not needed. 

Version-Release number of selected component (if applicable):
3.2
3.3

How reproducible:
100%

Additional info:

Ports not needed 
- 2224/tcp
- 5404/udp
- 5405/udp
- 24224/udp
- 24224/tcp

Also the embedded etcd when etcd is external  
- 4001/tcp


openshift-ansible/playbooks/common/openshift-master/config.yml

  - role: os_firewall
    os_firewall_allow:
    - service: etcd embedded
      port: 4001/tcp
    - service: api server https
      port: "{{ openshift.master.api_port }}/tcp"
    - service: api controllers https
      port: "{{ openshift.master.controllers_port }}/tcp"
    - service: skydns tcp
      port: "{{ openshift.master.dns_port }}/tcp"
    - service: skydns udp
      port: "{{ openshift.master.dns_port }}/udp"
    - service: Fluentd td-agent tcp
      port: 24224/tcp
    - service: Fluentd td-agent udp
      port: 24224/udp
    - service: pcsd
      port: 2224/tcp
    - service: Corosync UDP
      port: 5404/udp
    - service: Corosync UDP
      port: 5405/udp

Upstream 
https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-master/config.yml#L157-L178
Comment 1 Russell Teague 2016-12-09 20:47:28 UTC 
https://github.com/openshift/openshift-ansible/pull/2965
Comment 3 Gaoyun Pei 2017-01-10 07:03:23 UTC 
PR https://github.com/openshift/openshift-ansible/pull/2965 was not merged in latest openshift-ansible package - openshift-ansible-3.4.43-1, waiting for new build to verify this bug.
Comment 5 Gaoyun Pei 2017-01-19 06:10:10 UTC 
Verify this bug with openshift-ansible-3.4.55-1.git.0.9cb1f40.el7.noarch.rpm

For master with etcd embed, check the port opened on master after installation

Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8444
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8053
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:8053
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:4001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:4789

The following ports were not opened.
- 2224/tcp
- 5404/udp
- 5405/udp
- 24224/udp
- 24224/tcp



For master with external etcd host, check the port opened on master after installation
Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8444
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8053
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:8053
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:4789

The following ports were not opened.
- 2224/tcp
- 5404/udp
- 5405/udp
- 24224/udp
- 24224/tcp
- 4001/tcp
Comment 7 errata-xmlrpc 2017-01-31 21:10:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0224