Description of problem: Outgoing redis connection to port 6379 is blocked, but 6380 works. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. telnet redis.aududu.com 6379 2. 3. Actual results: [aududu2-minear.rhcloud.com 547df432ecb8d4f3f8000115]\> telnet redis.aududu.com 6379 Trying 108.0.244.247... telnet: connect to address 108.0.244.247: Permission denied Expected results: [aududu2-minear.rhcloud.com 547df432ecb8d4f3f8000115]\> telnet redis.aududu.com 6380 Trying 108.0.244.247... Connected to redis.aududu.com. Escape character is '^]'. Additional info: I had to change the incoming firewall settings to port forward 6380 to 6379 on the backside of the firewall. Both ports 6379 and 6380 are forwarded to 6379 on the backside.
I can confirm, its the same for me here.
(In reply to Daniel Minear from comment #0) > Description of problem: > > Outgoing redis connection to port 6379 is blocked, but 6380 works. > > > Version-Release number of selected component (if applicable): > > > How reproducible: > 100% > > Steps to Reproduce: > > 1. telnet redis.aududu.com 6379 > 2. > 3. > > Actual results: > > [aududu2-minear.rhcloud.com 547df432ecb8d4f3f8000115]\> telnet > redis.aududu.com 6379 > Trying 108.0.244.247... > telnet: connect to address 108.0.244.247: Permission denied > > > Expected results: > > [aududu2-minear.rhcloud.com 547df432ecb8d4f3f8000115]\> telnet > redis.aududu.com 6380 > Trying 108.0.244.247... > Connected to redis.aududu.com. > Escape character is '^]'. > > > > Additional info: > > I had to change the incoming firewall settings to port forward 6380 to 6379 > on the backside of the firewall. Both ports 6379 and 6380 are forwarded to > 6379 on the backside. how did you change the firewall settings and where? I am using azure redis and cant access the service from openshift :(
Our policy in general is to only allow outgoing connections to certain well-known services. In order for us to allow a connection, the port must first be defined in selinux policy, and then we must allow it in OpenShift-specific policy. Port 6379 was added for redis in RHEL 6.7 SELinux policy, so we should be able to allow these connections after our next update. (What I'm not sure about is why connections to 6380 are currently working, as I did not see a reference to that in the policy.)
that's great news! when can we expect the redis port to work?
Commit pushed to master at https://github.com/openshift/li https://github.com/openshift/li/commit/48b14e91d132df899c094216bac0491cde994d9d Bug 1241283 - Allow outbound TCP connections to redis
Reproduced this case on early build (devenv_5604) [app1-zy.dev.rhcloud.com 55d5426724910fe2bb000007]\> telnet redis.aududu.com 6379 Trying 108.0.244.247... telnet: connect to address 108.0.244.247: Permission denied Verified it works on the latest build(devenv_5606) [phpapp-zy.dev.rhcloud.com 55d53cb2ccc0d32acc000006]\> telnet redis.aududu.com 6379 Trying 108.0.244.247... Connected to redis.aududu.com. Escape character is '^]'. And check the selinux policy on devenv-5606: [root@ip-10-158-152-93 ~]# semanage port -l|grep redis redis_port_t tcp 6379 The fix works.
will it be required to recreate my openshift website or will the fix also be applied to existing running machines?
(In reply to Qiong Wu from comment #8) > will it be required to recreate my openshift website or will the fix also be > applied to existing running machines? The fix will be applied to the nodes, that means all the apps on the node will have such ability after the fix, no matter the app was created before or later.
Is this already deployed? I still get [xxxx.rhcloud.com xxxxxxxxxxxxxxxxxxxxx]\> telnet my.redis-server.com 6379 Trying x.x.x.x ... telnet: connect to address x.x.x.x: Permission denied Thanks! Qiong
This was deployed yesterday. It would not have worked two days ago. I am not sure why it was closed on Tuesday.
works, thanks!