Bug 1273294 - Can not deploy pod after installation
Summary: Can not deploy pod after installation
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Ma xiaoqiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-20 07:23 UTC by Ma xiaoqiang
Modified: 2016-07-04 00:45 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-27 19:15:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ma xiaoqiang 2015-10-20 07:23:56 UTC 
Description of problem:
Can not deploy pod after installation


Version-Release number of selected component (if applicable):
puddle [3.1/2015-10-17.1]

How reproducible:
100%


Steps to Reproduce:
1. Create router after installation


Actual results:
Fail to create router 

# oc logs docker-registry-1-deploy
F1019 21:50:21.768259       1 deployer.go:64] couldn't get deployment default/docker-registry-1: Get https://openshift-149.lab.eng.nay.redhat.com:8443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp: lookup openshift-149.lab.eng.nay.redhat.com: no such host




Expected results:
Should deploy pod successfully.

Additional info:
QE check the iptable rules as following:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
OS_FIREWALL_ALLOW  all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2379
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2380
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:4001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:24224
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:24224
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2224
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:5404
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:5405
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255


workaround:
Flush iptable rules using "iptables -F", re-deploy router successfully.
Comment 1 Scott Dodson 2015-10-20 14:24:58 UTC 
Possibly a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1273129 I don't see udp 4789 in your iptables dump above.
Comment 2 Ma xiaoqiang 2015-10-21 08:10:38 UTC 
QE install env with opening '4789' port, this issue still exist.

Not only the 4789 port, QE try to add the following rules, then can deploy the pod successfully.
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -j ACCEPT
Comment 3 Johnny Liu 2015-10-27 10:36:38 UTC 
After run "iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited" from initial iptable, pod is deployed successfully.
Comment 4 Scott Dodson 2015-10-27 19:15:06 UTC 

*** This bug has been marked as a duplicate of bug 1273659 ***
Note You need to log in before you can comment on or make changes to this bug.