Bug 1273129 - installer should open port 4789 in iptables if not using firewalld
Summary: installer should open port 4789 in iptables if not using firewalld
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer   
(Show other bugs)
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Ma xiaoqiang
Depends On:
TreeView+ depends on / blocked
Reported: 2015-10-19 17:12 UTC by Erik M Jacobs
Modified: 2016-07-04 00:45 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-20 15:42:17 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Erik M Jacobs 2015-10-19 17:12:05 UTC
Description of problem:
If using the sdn and not using firewalld, after the installer finishes port 4789 udp is not open. This prevents the SDN from working.

Depending on an upcoming kubernetes rebase, we may be able to just turn on firewalld and make this work... but if we're trying to be "intelligent" about any kind of detection we probably need to open this port.

Comment 2 Scott Dodson 2015-10-19 17:26:03 UTC
Fix is in https://github.com/openshift/openshift-ansible/pull/704

To test checkout openshift-ansible master then
git pull https://github.com/sdodson/openshift-ansible sdn-iptables

Comment 3 Ma xiaoqiang 2015-10-20 05:04:42 UTC
The '4789' port is opened by openshift in 3.0.x. Is there any change in 3.1? If the openshift will not open this port in 3.1, QE will check the PR.

Comment 4 Scott Dodson 2015-10-20 13:00:10 UTC
It didn't seem to be opening it on its own with the latest puddle. I'm not certain if my test environment had it opened via other means prior to the latest puddle or what.

Comment 5 Scott Dodson 2015-10-20 13:10:30 UTC
Was this a change in behavior from 3.0 codebases? See comment #3.

Comment 6 Dan Winship 2015-10-20 13:43:28 UTC
In 3.1, openshift only adds the firewall-poking-through rules if firewalld is running; since the ansible setup creates a firewall but doesn't use firewalld, things get messed up.

(It might be nice if openshift always added a rule, but it can't actually do that generically [because there's no standard organization of iptables rules, so it needs to understand the existing rules in order to know where to add its new rule], and it's basically just a coincidence that the rule it was added for firewalld also worked with the ansible firewall rules.)

Comment 7 Ma xiaoqiang 2015-10-21 06:05:37 UTC
The PR works fine. 

vim /etc/sysconfig/iptables
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 4789 -j ACCEPT

Note You need to log in before you can comment on or make changes to this bug.