Bug 1277037 - Need to support running api/console on ports other than 8443 ( https://github.com/openshift/openshift-ansible/issues/661 )
Need to support running api/console on ports other than 8443 ( https://github...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.0.0
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Jason DeTiberus
Johnny Liu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-02 01:55 EST by Miheer Salunke
Modified: 2016-05-12 12:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 12:37:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miheer Salunke 2015-11-02 01:55:37 EST
Description of problem:
To backport fix https://github.com/openshift/openshift-ansible/issues/661
in master

Version-Release number of selected component (if applicable):
There is a problem via ansible to modify the default openshift master url/port

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Jason DeTiberus 2015-11-02 21:32:57 EST
Miheer, this should already work for port 443 as long as the master is a node (which is a requirement for SDN deployments anyway).

Since we already open port 443 for nodes, the master will have the correct firewall port already open and there should be no issues with overriding the console and/or api port.

Setting openshift_master_api_port will override the api port.
Setting openshfit_master_console_port will override the console port.

If you want to override either of these to a port other than 8443 or 443, then you would need to pre-configure the firewall(s) to allow the chosen port(s) prior to running openshift-ansible.
Comment 3 Jason DeTiberus 2015-11-02 21:35:52 EST
As far as addressing the larger issue of opening the correct firewall ports when the default ports are overridden, I would prefer that we hold off until we are ready to switch to using firewalld, which should be sometime after 3.1.

The main reason for this is that once we can drop support for iptables, then we can leverage the ansible firewalld module instead of using the custom module that we are currently using, which is the heart of the reason that the ports are as inflexible as they are currently.
Comment 5 Jason DeTiberus 2015-11-16 10:28:53 EST
I've created a trello card to track the switch to firewalld by default: https://trello.com/c/8Ygh9RWB/101-install-switch-from-using-iptables-to-using-firewalld-for-default-installs
Comment 9 Jason DeTiberus 2016-04-04 17:28:35 EDT
This has been addressed for a bit now, but we never updated it. Moving to ON_QA.
Comment 10 Johnny Liu 2016-04-05 06:07:18 EDT
Verified this bug with openshift-ansible-3.0.71-1.git.0.63af28f.el7.noarch, and PASS.

Adding the following line to ansible inventory file:
openshift_master_console_port=443
openshift_master_api_port=443

In my env, the master is also a node, so no need to do any configuration for iptables. Run installation against the following scenarios, all the cluster are installed successfully and working well.
1 master + 1 node
1 lb + 2 master + 3 etcd + 1 node

Also checked web console using 443 port, web console is showing well.
Comment 12 errata-xmlrpc 2016-05-12 12:37:02 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1065

Note You need to log in before you can comment on or make changes to this bug.