Bug 1386329 - [3.4] Installer creating rules/opening up ports in iptables that are not needed.
Summary: [3.4] Installer creating rules/opening up ports in iptables that are not needed.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.4.z
Assignee: Russell Teague
QA Contact: Gaoyun Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-18 16:42 UTC by Ryan Howe
Modified: 2017-01-31 21:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The common/openshift-master/config.yml playbook was configured to add several iptables rules by default. Consequence: Several ports were opened in the firewall which were not necessary for default deployments. Fix: The common/openshift-master/config.yml playbook was updated to remove the unneeded rules as well as adding logic to only open ports required for etcd when ectd was an embedded install. Result: Reduced the number of open ports for default installs.
Clone Of:
Environment:
Last Closed: 2017-01-31 21:10:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0224 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix update 2017-02-01 02:10:09 UTC

Description Ryan Howe 2016-10-18 16:42:38 UTC 
Description of problem:

The anisble installer is adding iptable rules to the masters that are not needed. 

Version-Release number of selected component (if applicable):
3.2
3.3

How reproducible:
100%

Additional info:

Ports not needed 
- 2224/tcp
- 5404/udp
- 5405/udp
- 24224/udp
- 24224/tcp

Also the embedded etcd when etcd is external  
- 4001/tcp


openshift-ansible/playbooks/common/openshift-master/config.yml

  - role: os_firewall
    os_firewall_allow:
    - service: etcd embedded
      port: 4001/tcp
    - service: api server https
      port: "{{ openshift.master.api_port }}/tcp"
    - service: api controllers https
      port: "{{ openshift.master.controllers_port }}/tcp"
    - service: skydns tcp
      port: "{{ openshift.master.dns_port }}/tcp"
    - service: skydns udp
      port: "{{ openshift.master.dns_port }}/udp"
    - service: Fluentd td-agent tcp
      port: 24224/tcp
    - service: Fluentd td-agent udp
      port: 24224/udp
    - service: pcsd
      port: 2224/tcp
    - service: Corosync UDP
      port: 5404/udp
    - service: Corosync UDP
      port: 5405/udp

Upstream 
https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-master/config.yml#L157-L178
Comment 1 Russell Teague 2016-12-09 20:47:28 UTC 
https://github.com/openshift/openshift-ansible/pull/2965
Comment 3 Gaoyun Pei 2017-01-10 07:03:23 UTC 
PR https://github.com/openshift/openshift-ansible/pull/2965 was not merged in latest openshift-ansible package - openshift-ansible-3.4.43-1, waiting for new build to verify this bug.
Comment 5 Gaoyun Pei 2017-01-19 06:10:10 UTC 
Verify this bug with openshift-ansible-3.4.55-1.git.0.9cb1f40.el7.noarch.rpm

For master with etcd embed, check the port opened on master after installation

Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8444
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8053
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:8053
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:4001
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:4789

The following ports were not opened.
- 2224/tcp
- 5404/udp
- 5405/udp
- 24224/udp
- 24224/tcp



For master with external etcd host, check the port opened on master after installation
Chain OS_FIREWALL_ALLOW (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8444
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:8053
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:8053
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10250
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:10255
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:4789

The following ports were not opened.
- 2224/tcp
- 5404/udp
- 5405/udp
- 24224/udp
- 24224/tcp
- 4001/tcp
Comment 7 errata-xmlrpc 2017-01-31 21:10:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0224
Note You need to log in before you can comment on or make changes to this bug.