Bug 1400675

Summary:	[RFE] Allow existing configured ports on nodes to remain untouched and open after a OCP node installation or upgrade
Product:	OpenShift Container Platform	Reporter:	Javier Ramirez <javier.ramirez>
Component:	Installer	Assignee:	Scott Dodson <sdodson>
Status:	CLOSED ERRATA	QA Contact:	Gan Huang <ghuang>
Severity:	low	Docs Contact:
Priority:	medium
Version:	3.4.0	CC:	aos-bugs, bleanhar, erich, gpei, jokerman, mmccomas, sdodson, sjr
Target Milestone:	---
Target Release:	3.7.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-12-06 13:05:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Javier Ramirez 2016-12-01 19:13:49 UTC

We require to open a few ports on the nodes, for instance to add prometheus node exporter (port 9100/tcp) and we want the installer don't mess with those opened ports.
We've seen an os_firewall_allow variable in the playbooks that it is used for that purpose, but even if we have set that variable in the inventory, the port is not open.
We have also tried adding them into common/openshift-node/config.yml but they are not set in the node.

Comment 1 Scott Dodson 2016-12-01 19:58:42 UTC

You'll need to call os_firewall role with the os_firewall_allow variables setting the ports you need. Marking UpcomingRelease as this is an RFE

Comment 2 Sergi Jimenez Romero 2017-02-13 07:33:11 UTC

Hi Scott,

following up where Javier left it, do you mean we should call os_firewall setting os_firewall_allow from our inventory file?


Thanks!
Sergi.

Comment 3 Scott Dodson 2017-02-13 13:18:32 UTC

Sergi,

I meant from a playbook or role of your own for now.

In the future, we'd have to add the feature to support additional rules via a variable.

Comment 4 Sergi Jimenez Romero 2017-02-13 13:21:27 UTC

Hi Scott,

thanks for the clarification.

Is there already a planned target release for supporting it via a variable?

Best,
Sergi.

Comment 5 Scott Dodson 2017-02-13 13:23:45 UTC

Not yet, but I can say it won't be included in 3.5.0.

Comment 9 Scott Dodson 2017-10-30 19:29:45 UTC

https://github.com/openshift/openshift-ansible/pull/5345 (merged)
https://github.com/openshift/openshift-ansible/pull/5936 (under review)

# Firewall configuration
# You can open additional firewall ports by defining them as a list. of service
# names and ports/port ranges for either masters or nodes.
#openshift_master_open_ports=[{"service":"svc1","port":"11/tcp"}]
#openshift_node_open_ports=[{"service":"svc2","port":"12-13/tcp"},{"service":"svc3","port":"14/udp"}]

Comment 11 Brenton Leanhardt 2017-12-04 13:36:30 UTC

Both of the PRs mentioned in Comment #9 made it into the 3.7 GA release.  Moving it to QE for verification.

Comment 13 Sergi Jimenez Romero 2017-12-05 20:46:00 UTC

Thanks everyone! It'd be good to have this mentioned on an errata and/or documented.

Comment 14 Gan Huang 2017-12-06 12:44:28 UTC

Verified in openshift-ansible-3.7.11-1.git.0.42a781f.el7.noarch.rpm

In the installations of firewalld and iptables, the ports are opened in both nodes and masters correctly.

1. triggering fresh installation with iptables enabled (default)

# cat inventory_host
openshift_master_open_ports=[{'service':'master-svc1','port':'250/tcp'},{'service':'master-svc2','port':'251-253/tcp'}]
openshift_node_open_ports=[{'service':'node-svc2','port':'10015-10019/tcp'},{'service':'node-svc3','port':'10014/udp'}]


2. Check the iptables on the masters and nodes

master
# iptables -L OS_FIREWALL_ALLOW
Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:2379
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:2380
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:nfs
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:pcsync-http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:senomix02
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:senomix02
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:250
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:251:253
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:10250
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:4789
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:10015:10019
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:10014

node
# iptables -L OS_FIREWALL_ALLOW
Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:10250
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:4789
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpts:10015:10019
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:10014

3. Trigger installation with firewalld enabled, the ports are also opened correctly

Comment 15 Scott Dodson 2017-12-06 13:05:21 UTC

This enhancement is included in 3.7 GA.