Hide Forgot
Description of problem: ansible should open the '8053' port for skydns on master Version-Release number of selected component (if applicable): https://github.com/sdodson/openshift-ansible -b cluster-dns How reproducible: always Steps to Reproduce: 1. install env with dnsmasq on node 2. check the dns on node #nslookup kubernetes.default.svc.cluster.local Actual results: # nslookup kubernetes.default.svc.cluster.local ;; connection timed out; trying next origin Server: 192.168.0.233 Address: 192.168.0.233#53 ** server can't find kubernetes.default.svc.cluster.local: NXDOMAIN Expected results: Should open the '8053' port for skydns on master Additional info:
I've updated my branch to open port 8053 when we're enabling dnsmasq. (versions 3.2/1.2 or greater right now) Please pull the latest to verify
Don't we want to connect over the service IP rather than the master host IP?
We use the kube service IP however the endpoints defined by that service are node IP addresses so we still require the firewall be opened, right? If and when skydns moves to a pod I guess this would change. [root@ose3-master ~]# oc describe svc kubernetes Name: kubernetes Namespace: default Labels: component=apiserver,provider=kubernetes Selector: <none> Type: ClusterIP IP: 172.30.0.1 Port: https 443/TCP Endpoints: 192.168.122.134:8443 Port: dns 53/UDP Endpoints: 192.168.122.134:8053 Port: dns-tcp 53/TCP Endpoints: 192.168.122.134:8053 Session Affinity: None No events. 192.168.122.134 being the master's IP.
1. The conditions for the dns port in the iptables didn't take effect. Install ose-3.2 by default, check the iptables on the master <--snip--> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8053 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:8053 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 <--snip--> the '53' and '8053' port are opened. 2. the conditions in the iptables and dnsmasq are different. the condition is 'openshift.common.version_gte_3_1_or_1_1' for dnsmasq, but the condition is 'openshift.common.version_gte_3_2_or_1_2' in the iptables
Fixed in the PR, waiting for that to merge before I flip this to MODIFIED
https://github.com/openshift/openshift-ansible/pull/1588 merged
check on openshift-ansible-3.0.82-1 #iptables -L -n Chain OS_FIREWALL_ALLOW (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2379 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2380 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:4001 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8444 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8053 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:8053 Move this issue to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1065