Red Hat Bugzilla – Bug 1273129
installer should open port 4789 in iptables if not using firewalld
Last modified: 2016-07-03 20:45:42 EDT
Description of problem:
If using the sdn and not using firewalld, after the installer finishes port 4789 udp is not open. This prevents the SDN from working.
Depending on an upcoming kubernetes rebase, we may be able to just turn on firewalld and make this work... but if we're trying to be "intelligent" about any kind of detection we probably need to open this port.
Fix is in https://github.com/openshift/openshift-ansible/pull/704
To test checkout openshift-ansible master then
git pull https://github.com/sdodson/openshift-ansible sdn-iptables
The '4789' port is opened by openshift in 3.0.x. Is there any change in 3.1? If the openshift will not open this port in 3.1, QE will check the PR.
It didn't seem to be opening it on its own with the latest puddle. I'm not certain if my test environment had it opened via other means prior to the latest puddle or what.
Was this a change in behavior from 3.0 codebases? See comment #3.
In 3.1, openshift only adds the firewall-poking-through rules if firewalld is running; since the ansible setup creates a firewall but doesn't use firewalld, things get messed up.
(It might be nice if openshift always added a rule, but it can't actually do that generically [because there's no standard organization of iptables rules, so it needs to understand the existing rules in order to know where to add its new rule], and it's basically just a coincidence that the rule it was added for firewalld also worked with the ansible firewall rules.)
The PR works fine.
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 4789 -j ACCEPT