Bug 1783764
Summary: | Unexpected iptables rules are saved to "/etc/sysconfig/iptables" on first master host | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Daein Park <dapark> |
Component: | Installer | Assignee: | Russell Teague <rteague> |
Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | medium | ||
Priority: | unspecified | CC: | tkimura |
Version: | 3.11.0 | ||
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: cockpit role is run after openshift_sdn role
Consequence: During the cockpit role, iptables rules are saved which also save unnecessary sdn rules.
Fix: Moved the cockpit role to run before openshift_sdn role
Result: Unnecessary sdn rules are not saved during installation
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-19 19:53:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daein Park
2019-12-15 12:30:27 UTC
Hi team, I've created PR here: https://github.com/openshift/openshift-ansible/pull/12052 Could reproduce this issue with openshift-ansible-3.11.161-1.git.0.376158f.el7.noarch.rpm When osm_use_cockpit=true, setup a 3-master ha cluster, check /etc/sysconfig/iptables on the first master [root@ip-172-18-1-124 ~]# grep SDN /etc/sysconfig/iptables -A OPENSHIFT-FIREWALL-ALLOW -i tun0 -m comment --comment "from SDN to localhost" -j ACCEPT -A OPENSHIFT-FIREWALL-FORWARD -d 10.2.0.0/16 -m comment --comment "forward traffic from SDN" -j ACCEPT -A OPENSHIFT-FIREWALL-FORWARD -s 10.2.0.0/16 -m comment --comment "forward traffic to SDN" -j ACCEPT The other two masters doesn't have SDN related rules in /etc/sysconfig/iptables. With openshift-ansible-3.11.165-1.git.0.2b41335.el7.noarch.rpm used, all three masters doesn't have such SDN rules saved in /etc/sysconfig/iptables. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0402 |