Bug 1507051

Summary: Port 10010 is closed
Product: OpenShift Container Platform Reporter: Chris Evich <cevich>
Component: InstallerAssignee: Steve Milner <smilner>
Status: CLOSED CURRENTRELEASE QA Contact: Gan Huang <ghuang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.7.0CC: aos-bugs, cevich, jokerman, mmccomas, xtian
Target Milestone: ---Keywords: Unconfirmed
Target Release: 3.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-13 15:53:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Evich 2017-10-27 14:13:05 UTC 
Description of problem:
The installer needs to: iptables -A OS_FIREWALL_ALLOW -p tcp --destination-port 10010 -m state --state NEW -j ACCEPT

Version-Release number of the following components:
Upstream openshift-ansible, PR 5880
commit id 1d77b02f72795cef4ce5a9552fcdb97d16b7e3b9

Ansible 2.3.1 running on a F25 control-host.

How reproducible:
always

Steps to Reproduce:
1. cd openstack-ansible
2. Run ansible-playbook -i inventory_file ./playbooks/byo/config.yml
3. No errors reported
4. On master node: oc run myhttpd --image=httpd:2.4
5. On master node: oc describe pod myhttpd
6. On master node: oc run -it --rm myshell --image=busybox -- sh

Actual results:
No installer error generated.  Problem found after step 6:

[root@rhel7-4-a ~]# oc run -it --rm myshell --image=busybox -- sh
If you don't see a command prompt, try pressing enter.
                                                      Error attaching, falling back to logs: error dialing backend: dial tcp 172.16.12.11:10010: getsockopt: no route to host

Expected results:

The oc run command should work
Comment 1 Scott Dodson 2017-10-27 14:46:59 UTC 
What is myshell? what's 172.16.12.11, is that a service ip? why does my myshell expect it to exist and be ready for connections?
Comment 2 Scott Dodson 2017-10-27 16:28:15 UTC 
apparently this is some cri-o thing?

https://github.com/openshift/openshift-ansible/pull/5911
Comment 3 Steve Milner 2017-10-27 16:30:20 UTC 
(In reply to Scott Dodson from comment #1)
> What is myshell? what's 172.16.12.11, is that a service ip? why does my
> myshell expect it to exist and be ready for connections?

myshell is the name of a container they are using to test with. It's verifying they are able to actually communicate with a container.
Comment 4 Steve Milner 2017-10-27 16:48:55 UTC 
The merged PR listed by Scott does indeed fix the problem. It's been tested by a few of us. Apologies for the misunderstanding.
Comment 5 Xiaoli Tian 2017-10-30 06:13:07 UTC 
The fix is merged since openshift-ansible-3.7.0-0.184.0 , please test it on latest version.
Comment 6 Gan Huang 2017-10-31 08:41:26 UTC 
Verified in openshift-ansible-3.7.0-0.184.0.git.0.d407445.el7.noarch.rpm

Tested with iptables and firewalld enabled. Both working well as the steps of the bug description.
Comment 7 Gan Huang 2017-10-31 08:43:28 UTC 
iptables rule added correctly for nodes:

# iptables-save |grep 10010
-A IN_public_allow -p tcp -m tcp --dport 10010 -m conntrack --ctstate NEW -j ACCEPT