Bug 1614863

Summary: ShiftStack installer doesn't open cri-o stream port (10010/tcp)
Product: OpenShift Container Platform Reporter: Eduardo Minguez <eminguez>
Component: InstallerAssignee: egarcia
Status: CLOSED ERRATA QA Contact: weiwei jiang <wjiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, egarcia, gpei, jokerman, mmccomas, wjiang
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Cause: 10010/tcp port not open Consequence: Unable to do `oc exec` or `oc rsh` Fix: Create firewall rule for 10010/tcp in openstack Result: `oc rsh` and `oc exec` reachable
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:40:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eduardo Minguez 2018-08-10 14:50:23 UTC 
Description of problem:

According to https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_openstack/defaults/main.yml cri-o port 10010/tcp is not opened (https://bugzilla.redhat.com/show_bug.cgi?id=1583640) and it should be required to be able to do 'oc exec' and 'oc rsh'

Version-Release number of the following components:
o-a master branch

How reproducible:
I've not tested it but creating a cri-o based ocp on osp using the shiftstack installer

Steps to Reproduce:
1.
2.
3.

Actual results:
It looks like port 10010/tcp is not opened when using cri-o

Expected results:
Port 10010/tcp opened only if using cri-o

Additional info:

https://bugzilla.redhat.com/show_bug.cgi?id=1583640
Comment 1 Tomas Sedovic 2018-09-18 16:04:37 UTC 
Assigning to Emilio who I believe is looking at the open ports situation in the provisioning playbooks now.

Emilio, if that's not correct, let me know.
Comment 3 egarcia 2018-11-27 14:46:00 UTC 
Reassigning to Eduardo, since he fixed the bug
Comment 6 weiwei jiang 2018-12-21 09:28:26 UTC 
Checked with openshift-ansible-4.0.0-0.101.0, and this has heen fixed.

TASK [container_runtime : Add iptables allow rules] ****************************************************************************************************************************************************************************************************************************
task path: /home/openshift/openshift-ansible/roles/container_runtime/tasks/crio_firewall.yml:4
Friday 21 December 2018  17:23:39 +0800 (0:00:01.444)       0:11:39.057 *******
changed: [master-1.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]}                                                                               
changed: [infra-node-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]}                                                                           
changed: [master-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]}                                                                               
changed: [app-node-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]} 

[openshift@master-0 ~]$ cat /etc/crio/crio.conf|grep -i 10010
stream_port = "10010"

[openshift@master-0 ~]$ sudo ss -4lnt
State      Recv-Q Send-Q                                                                                           Local Address:Port                                                                                                          Peer Address:Port              
LISTEN     0      5                                                                                                 192.168.99.8:53                                                                                                                       *:*                  
LISTEN     0      128                                                                                                          *:22                                                                                                                       *:*                  
LISTEN     0      100                                                                                                  127.0.0.1:25                                                                                                                       *:*                  
LISTEN     0      128                                                                                               192.168.99.8:10010                                                                                                                    *:*
Comment 9 errata-xmlrpc 2019-06-04 10:40:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758