Bug 1436964 - firewalld failure: Action org.fedoraproject.FirewallD1.config.info is not registered
Summary: firewalld failure: Action org.fedoraproject.FirewallD1.config.info is not reg...
Keywords:
Status: CLOSED DUPLICATE of bug 1442840
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: ---
: 3.5.z
Assignee: Scott Dodson
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-29 06:26 UTC by Gan Huang
Modified: 2017-06-02 19:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-02 19:45:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Gan Huang 2017-03-29 06:26:45 UTC 
Description of problem:
Upstream issue: https://github.com/openshift/openshift-ansible/issues/3213

Version-Release number of selected component (if applicable):
openshift-ansible-3.5.45-1.git.1.4ebc840.el7.noarch.rpm

# rpm -qa |grep firewalld
firewalld-0.4.3.2-8.1.el7_3.2.noarch
firewalld-filesystem-0.4.3.2-8.1.el7_3.2.noarch

# uname -r
3.10.0-514.16.1.el7.x86_64

How reproducible:
Only once while filing the bug

Steps to Reproduce:
1.Trigger HA installation on RHEL-7.3.4


Actual results:
TASK [os_firewall : Add firewalld allow rules] *********************************
Wednesday 29 March 2017  01:27:38 +0000 (0:00:00.235)       0:28:02.124 ******* changed: [ec2-54-236-70-200.compute-1.amazonaws.com] => (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {
    "changed": true, 
    "item": {
        "port": "10250/tcp", 
        "service": "Kubernetes kubelet"
    }
}

MSG:

Permanent operation, Non-permanent operation, Changed port 10250/tcp to enabledchanged: [ec2-54-85-145-14.compute-1.amazonaws.com] => (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {
    "changed": true, 
    "item": {
        "port": "10250/tcp", 
        "service": "Kubernetes kubelet"
    }
}

MSG:

Permanent operation, Non-permanent operation, Changed port 10250/tcp to enabledchanged: [ec2-184-72-169-118.compute-1.amazonaws.com] => (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {
    "changed": true, 
    "item": {
        "port": "10250/tcp", 
        "service": "Kubernetes kubelet"
    }
}

MSG:

Permanent operation, Non-permanent operation, Changed port 10250/tcp to enabledchanged: [ec2-54-221-18-228.compute-1.amazonaws.com] => (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {
    "changed": true, 
    "item": {
        "port": "10250/tcp", 
        "service": "Kubernetes kubelet"
    }
}

MSG:

Permanent operation, Non-permanent operation, Changed port 10250/tcp to enabledAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: dbus.exceptions.DBusException: org.freedesktop.PolicyKit1.Error.Failed: Action org.fedoraproject.FirewallD1.config.info is not registeredfailed: [ec2-52-73-233-84.compute-1.amazonaws.com] (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {
    "failed": true, 
    "item": {
        "port": "10250/tcp", 
        "service": "Kubernetes kubelet"
    }, 
    "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_SE5phc/ansible_module_firewalld.py\", line 641, in <module>\n    main()\n  File \"/tmp/ansible_SE5phc/ansible_module_firewalld.py\", line 489, in main\n    is_enabled = get_port_enabled(zone, [port,protocol])\n  File \"/tmp/ansible_SE5phc/ansible_module_firewalld.py\", line 155, in get_port_enabled\n    if port_proto in fw.getPorts(zone):\n  File \"<string>\", line 2, in getPorts\n  File \"/usr/lib/python2.7/site-packages/slip/dbus/polkit.py\", line 103, in _enable_proxy\n    return func(*p, **k)\n  File \"<string>\", line 2, in getPorts\n  File \"/usr/lib/python2.7/site-packages/firewall/client.py\", line 53, in handle_exceptions\n    return func(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/firewall/client.py\", line 2754, in getPorts\n    return dbus_to_python(self.fw_zone.getPorts(zone))\n  File \"/usr/lib/python2.7/site-packages/slip/dbus/proxies.py\", line 50, in __call__\n    return dbus.proxies._ProxyMethod.__call__(self, *args, **kwargs)\n  File \"/usr/lib64/python2.7/site-packages/dbus/proxies.py\", line 145, in __call__\n    **keywords)\n  File \"/usr/lib64/python2.7/site-packages/dbus/connection.py\", line 651, in call_blocking\n    message, timeout)\ndbus.exceptions.DBusException: org.freedesktop.PolicyKit1.Error.Failed: Action org.fedoraproject.FirewallD1.config.info is not registered\n", 
    "module_stdout": ""
}

MSG:

MODULE FAILURE

Expected results:


Additional info:
# cat /var/log/firewalld
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D PREROUTING' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -F DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -X DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -F DOCKER-ISOLATION' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -n -L DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER-ISOLATION' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: 
2017-03-28 21:28:57 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
Comment 2 Scott Dodson 2017-03-29 23:59:48 UTC 
Proposed fix https://github.com/openshift/openshift-ansible/pull/3804
Comment 3 Scott Dodson 2017-06-02 19:45:32 UTC 
This is a race condition in polkit and firewalld policy issue. That team is digging into a fix but this happens very rarely.

*** This bug has been marked as a duplicate of bug 1442840 ***
Note You need to log in before you can comment on or make changes to this bug.