Bug 1273129 - installer should open port 4789 in iptables if not using firewalld
installer should open port 4789 in iptables if not using firewalld
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.1.0
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Scott Dodson
Ma xiaoqiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-19 13:12 EDT by Erik M Jacobs
Modified: 2016-07-03 20:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-20 10:42:17 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Erik M Jacobs 2015-10-19 13:12:05 EDT
Description of problem:
If using the sdn and not using firewalld, after the installer finishes port 4789 udp is not open. This prevents the SDN from working.

Depending on an upcoming kubernetes rebase, we may be able to just turn on firewalld and make this work... but if we're trying to be "intelligent" about any kind of detection we probably need to open this port.
Comment 2 Scott Dodson 2015-10-19 13:26:03 EDT
Fix is in https://github.com/openshift/openshift-ansible/pull/704

To test checkout openshift-ansible master then
git pull https://github.com/sdodson/openshift-ansible sdn-iptables
Comment 3 Ma xiaoqiang 2015-10-20 01:04:42 EDT
The '4789' port is opened by openshift in 3.0.x. Is there any change in 3.1? If the openshift will not open this port in 3.1, QE will check the PR.
thx
Comment 4 Scott Dodson 2015-10-20 09:00:10 EDT
It didn't seem to be opening it on its own with the latest puddle. I'm not certain if my test environment had it opened via other means prior to the latest puddle or what.
Comment 5 Scott Dodson 2015-10-20 09:10:30 EDT
Was this a change in behavior from 3.0 codebases? See comment #3.
Comment 6 Dan Winship 2015-10-20 09:43:28 EDT
In 3.1, openshift only adds the firewall-poking-through rules if firewalld is running; since the ansible setup creates a firewall but doesn't use firewalld, things get messed up.

(It might be nice if openshift always added a rule, but it can't actually do that generically [because there's no standard organization of iptables rules, so it needs to understand the existing rules in order to know where to add its new rule], and it's basically just a coincidence that the rule it was added for firewalld also worked with the ansible firewall rules.)
Comment 7 Ma xiaoqiang 2015-10-21 02:05:37 EDT
The PR works fine. 

vim /etc/sysconfig/iptables
<--snip-->
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 4789 -j ACCEPT
COMMIT

Note You need to log in before you can comment on or make changes to this bug.