Bug 1273294 - Can not deploy pod after installation
Can not deploy pod after installation
Status: CLOSED UPSTREAM
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.1.0
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Scott Dodson
Ma xiaoqiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-20 03:23 EDT by Ma xiaoqiang
Modified: 2016-07-03 20:45 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-27 15:15:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ma xiaoqiang 2015-10-20 03:23:56 EDT
Description of problem:
Can not deploy pod after installation


Version-Release number of selected component (if applicable):
puddle [3.1/2015-10-17.1]

How reproducible:
100%


Steps to Reproduce:
1. Create router after installation


Actual results:
Fail to create router 

# oc logs docker-registry-1-deploy
F1019 21:50:21.768259       1 deployer.go:64] couldn't get deployment default/docker-registry-1: Get https://openshift-149.lab.eng.nay.redhat.com:8443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1: dial tcp: lookup openshift-149.lab.eng.nay.redhat.com: no such host




Expected results:
Should deploy pod successfully.

Additional info:
QE check the iptable rules as following:
# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
OS_FIREWALL_ALLOW  all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2379
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2380
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:4001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:24224
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:24224
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:2224
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:5404
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:5405
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255


workaround:
Flush iptable rules using "iptables -F", re-deploy router successfully.
Comment 1 Scott Dodson 2015-10-20 10:24:58 EDT
Possibly a dupe of https://bugzilla.redhat.com/show_bug.cgi?id=1273129 I don't see udp 4789 in your iptables dump above.
Comment 2 Ma xiaoqiang 2015-10-21 04:10:38 EDT
QE install env with opening '4789' port, this issue still exist.

Not only the 4789 port, QE try to add the following rules, then can deploy the pod successfully.
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -j ACCEPT
Comment 3 Johnny Liu 2015-10-27 06:36:38 EDT
After run "iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited" from initial iptable, pod is deployed successfully.
Comment 4 Scott Dodson 2015-10-27 15:15:06 EDT

*** This bug has been marked as a duplicate of bug 1273659 ***

Note You need to log in before you can comment on or make changes to this bug.