Hide Forgot
We require to open a few ports on the nodes, for instance to add prometheus node exporter (port 9100/tcp) and we want the installer don't mess with those opened ports. We've seen an os_firewall_allow variable in the playbooks that it is used for that purpose, but even if we have set that variable in the inventory, the port is not open. We have also tried adding them into common/openshift-node/config.yml but they are not set in the node.
You'll need to call os_firewall role with the os_firewall_allow variables setting the ports you need. Marking UpcomingRelease as this is an RFE
Hi Scott, following up where Javier left it, do you mean we should call os_firewall setting os_firewall_allow from our inventory file? Thanks! Sergi.
Sergi, I meant from a playbook or role of your own for now. In the future, we'd have to add the feature to support additional rules via a variable.
Hi Scott, thanks for the clarification. Is there already a planned target release for supporting it via a variable? Best, Sergi.
Not yet, but I can say it won't be included in 3.5.0.
https://github.com/openshift/openshift-ansible/pull/5345 (merged) https://github.com/openshift/openshift-ansible/pull/5936 (under review) # Firewall configuration # You can open additional firewall ports by defining them as a list. of service # names and ports/port ranges for either masters or nodes. #openshift_master_open_ports=[{"service":"svc1","port":"11/tcp"}] #openshift_node_open_ports=[{"service":"svc2","port":"12-13/tcp"},{"service":"svc3","port":"14/udp"}]
Both of the PRs mentioned in Comment #9 made it into the 3.7 GA release. Moving it to QE for verification.
Thanks everyone! It'd be good to have this mentioned on an errata and/or documented.
Verified in openshift-ansible-3.7.11-1.git.0.42a781f.el7.noarch.rpm In the installations of firewalld and iptables, the ports are opened in both nodes and masters correctly. 1. triggering fresh installation with iptables enabled (default) # cat inventory_host openshift_master_open_ports=[{'service':'master-svc1','port':'250/tcp'},{'service':'master-svc2','port':'251-253/tcp'}] openshift_node_open_ports=[{'service':'node-svc2','port':'10015-10019/tcp'},{'service':'node-svc3','port':'10014/udp'}] 2. Check the iptables on the masters and nodes master # iptables -L OS_FIREWALL_ALLOW Chain OS_FIREWALL_ALLOW (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2379 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2380 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pcsync-http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:senomix02 ACCEPT udp -- anywhere anywhere state NEW udp dpt:senomix02 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:250 ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:251:253 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10250 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT udp -- anywhere anywhere state NEW udp dpt:4789 ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:10015:10019 ACCEPT udp -- anywhere anywhere state NEW udp dpt:10014 node # iptables -L OS_FIREWALL_ALLOW Chain OS_FIREWALL_ALLOW (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10250 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT udp -- anywhere anywhere state NEW udp dpt:4789 ACCEPT tcp -- anywhere anywhere state NEW tcp dpts:10015:10019 ACCEPT udp -- anywhere anywhere state NEW udp dpt:10014 3. Trigger installation with firewalld enabled, the ports are also opened correctly
This enhancement is included in 3.7 GA.