Bug 1507051 - Port 10010 is closed
Summary: Port 10010 is closed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.7.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.7.0
Assignee: Steve Milner
QA Contact: Gan Huang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-27 14:13 UTC by Chris Evich
Modified: 2017-11-28 08:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-11-13 15:53:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Chris Evich 2017-10-27 14:13:05 UTC 
Description of problem:
The installer needs to: iptables -A OS_FIREWALL_ALLOW -p tcp --destination-port 10010 -m state --state NEW -j ACCEPT

Version-Release number of the following components:
Upstream openshift-ansible, PR 5880
commit id 1d77b02f72795cef4ce5a9552fcdb97d16b7e3b9

Ansible 2.3.1 running on a F25 control-host.

How reproducible:
always

Steps to Reproduce:
1. cd openstack-ansible
2. Run ansible-playbook -i inventory_file ./playbooks/byo/config.yml
3. No errors reported
4. On master node: oc run myhttpd --image=httpd:2.4
5. On master node: oc describe pod myhttpd
6. On master node: oc run -it --rm myshell --image=busybox -- sh

Actual results:
No installer error generated.  Problem found after step 6:

[root@rhel7-4-a ~]# oc run -it --rm myshell --image=busybox -- sh
If you don't see a command prompt, try pressing enter.
                                                      Error attaching, falling back to logs: error dialing backend: dial tcp 172.16.12.11:10010: getsockopt: no route to host

Expected results:

The oc run command should work
Comment 1 Scott Dodson 2017-10-27 14:46:59 UTC 
What is myshell? what's 172.16.12.11, is that a service ip? why does my myshell expect it to exist and be ready for connections?
Comment 2 Scott Dodson 2017-10-27 16:28:15 UTC 
apparently this is some cri-o thing?

https://github.com/openshift/openshift-ansible/pull/5911
Comment 3 Steve Milner 2017-10-27 16:30:20 UTC 
(In reply to Scott Dodson from comment #1)
> What is myshell? what's 172.16.12.11, is that a service ip? why does my
> myshell expect it to exist and be ready for connections?

myshell is the name of a container they are using to test with. It's verifying they are able to actually communicate with a container.
Comment 4 Steve Milner 2017-10-27 16:48:55 UTC 
The merged PR listed by Scott does indeed fix the problem. It's been tested by a few of us. Apologies for the misunderstanding.
Comment 5 Xiaoli Tian 2017-10-30 06:13:07 UTC 
The fix is merged since openshift-ansible-3.7.0-0.184.0 , please test it on latest version.
Comment 6 Gan Huang 2017-10-31 08:41:26 UTC 
Verified in openshift-ansible-3.7.0-0.184.0.git.0.d407445.el7.noarch.rpm

Tested with iptables and firewalld enabled. Both working well as the steps of the bug description.
Comment 7 Gan Huang 2017-10-31 08:43:28 UTC 
iptables rule added correctly for nodes:

# iptables-save |grep 10010
-A IN_public_allow -p tcp -m tcp --dport 10010 -m conntrack --ctstate NEW -j ACCEPT
Note You need to log in before you can comment on or make changes to this bug.