Description of problem: Can not start router pod after installtion. Ansible should open port '1936' in iptables Version-Release number of selected component (if applicable): https://github.com/openshift/openshift-ansible master ose-3.1.1.0 How reproducible: Always Steps to Reproduce: 1. create router after installation 2. check the router # oc describe pod router-1-71w5n Actual results: 24s 4s 3 {kubelet openshift-159.lab.eng.nay.redhat.com} spec.containers{router} Unhealthy Readiness probe failed: Get http://10.66.79.159:1936/healthz: dial tcp 10.66.79.159:1936: no route to host the port '1936' is not opened on system. Expected results: create router successfully Additional info: workround: run the following command on nodes iptables -I OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 1936 -j ACCEPT
This issue causes that the router pod can not be started.
*** Bug 1231127 has been marked as a duplicate of this bug. ***
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/9e34a1c25f1a763af2ec6a65f00e1fa89087d981 Bug 1293578 - The Router liveness/readiness probes should always use localhost Pods using the hostNetwork are getting the default IP from the Node entry for their liveness probe today. In some common misconfigurations this IP will not actually be physically present on the Node running the probes and therefore will not be short-circuited to use the loopback interface. In those cases the probes will fail unless an admin manually opens up port that allows the probe to pass. We're putting checks in place for this situation but this seems like a reasonable safeguard to make sure a critical piece of infrastructure comes up the first time.
This has been fixed via a two pronged approach. 1) The new build should use localhost for the router liveness probes 2) openshift-ansible will now ensure openshift_hostname resolves to an ip address on the host in question. If it detects that the hostname does not it will pause the install waiting for the user to abort or continue. This behavior can be overridden by setting `openshift_override_hostname_check=true` which will simply pause the install for 10 seconds then move on. See https://github.com/openshift/openshift-ansible/pull/1291 for details on the installer change
Check on the Errata puddle. The router pod is running, move this issue to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:0293
Scott, Brenton Because of this fix, we don't necessary to open 1936 port now, since the livenessProbe prove access to the localhost, right? As this bz's subject is "Ansible should open port '1936' in iptables", the fix looks like opening the 1936 by ansible installer, but I believe it is wrong. If my understanding is correct, I hope either of you update the doc https://docs.openshift.com/enterprise/3.1/release_notes/ose_3_1_release_notes.html#ose-3-1-1-known-issues
Kenjiro, That's correct, we no longer need to open port 1936. I'm not sure if we should retroactively change the title of this bug or not. PR to clarify those docs