Bug 1324153 - Ansible uninstall playbook does not remove iptables
Summary: Ansible uninstall playbook does not remove iptables
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-05 16:36 UTC by Ryan Howe
Modified: 2019-10-10 11:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-24 20:50:02 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Ryan Howe 2016-04-05 16:36:26 UTC 
Description of problem: Ansible uninstall playbook does not remove iptables


Version-Release number of selected component (if applicable):
3.1.1.6

How reproducible:
100%

Steps to Reproduce:
1.Run 
# ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/adhoc/uninstall.yml

Actual results:
Removes all openshift components but leaves all iptable rules generated by openshift. 


Expected results:
Removes all OSE items including iptable rules

Additional info:

After running the install my iptables still look like this: 

[root@test ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Dec  4 17:43:33 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1257:222276]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -p tcp -m tcp --dport 24230 -j ACCEPT
-A INPUT -p udp -m multiport --dports 4789 -m comment --comment "001 vxlan incoming" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "traffic from docker for internet" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o lbr0 -j DOCKER
-A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lbr0 ! -o lbr0 -j ACCEPT
-A FORWARD -i lbr0 -o lbr0 -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -s 10.1.0.0/16 -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 4001 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24224 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 24224 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2224 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 5404 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 5405 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10250 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 10255 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state --state NEW -m udp --dport 10255 -j ACCEPT
COMMIT
# Completed on Fri Dec  4 17:43:33 2015
# Generated by iptables-save v1.4.21 on Fri Dec  4 17:43:33 2015
*nat
:PREROUTING ACCEPT [64:11154]
:INPUT ACCEPT [25:1737]
:OUTPUT ACCEPT [2162909:135222650]
:POSTROUTING ACCEPT [2162909:135222650]
:DOCKER - [0:0]
:KUBE-NODEPORT-CONTAINER - [0:0]
:KUBE-NODEPORT-HOST - [0:0]
:KUBE-PORTALS-CONTAINER - [0:0]
:KUBE-PORTALS-HOST - [0:0]
-A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER
-A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST
-A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOST
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 10.1.0.0/24 ! -o lbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE
-A KUBE-PORTALS-CONTAINER -d 172.30.0.1/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j REDIRECT --to-ports 58482
-A KUBE-PORTALS-CONTAINER -d 172.30.121.42/32 -p tcp -m comment --comment "default/docker-registry:5000-tcp" -m tcp --dport 5000 -j REDIRECT --to-ports 38996
-A KUBE-PORTALS-HOST -d 172.30.0.1/32 -p tcp -m comment --comment "default/kubernetes:" -m tcp --dport 443 -j DNAT --to-destination 172.17.28.16:58482
-A KUBE-PORTALS-HOST -d 172.30.121.42/32 -p tcp -m comment --comment "default/docker-registry:5000-tcp" -m tcp --dport 5000 -j DNAT --to-destination 172.17.28.16:38996
COMMIT
# Completed on Fri Dec  4 17:43:33 2015
Comment 2 Brenton Leanhardt 2016-04-06 13:51:49 UTC 
The usecase for the uninstall playbook is simply to ensure that re-running an installation (even with different inventory settings) works.  It's not meant to uninstall everything and then run the host as a completely different service.

If an installation fails because of a previous install and the uninstall playbook didn't clean something up we'd treat that as a fairly serious bug.  Otherwise we'll investigate cleaning up the iptables rules as a lower severity problem.
Note You need to log in before you can comment on or make changes to this bug.