Bug 1551121 - [Docs] Section 6.1: Firewall list doesn't match list for cns-deploy
Summary: [Docs] Section 6.1: Firewall list doesn't match list for cns-deploy
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: doc-Container_Native_Storage_with_OpenShift
Version: cns-3.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: storage-doc
QA Contact: Prasanth
URL:
Whiteboard:
Depends On:
Blocks: 1724792
TreeView+ depends on / blocked
 
Reported: 2018-03-02 20:09 UTC by Thom Carlin
Modified: 2021-11-18 15:43 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-18 15:43:34 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1483827 0 unspecified CLOSED Avoid using 24006 port as it is registered. 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1551124 0 unspecified CLOSED [Docs] Section 6.2: Kernel module list does not match list given by cns-deploy 2021-11-18 15:45:30 UTC
Red Hat Bugzilla 1551127 0 unspecified CLOSED [Docs] Chapter 6: Add new section for SELinux to match cns-deploy requirements 2021-11-18 15:47:12 UTC
Red Hat Bugzilla 1551140 0 unspecified CLOSED cns-deploy lists firewall port 24006 which was deprecated by bz 1483827 2021-02-22 00:41:40 UTC

Internal Links: 1483827 1551124 1551127 1551140

Description Thom Carlin 2018-03-02 20:09:16 UTC 
Document URL: 

https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.3/html-single/container-native_storage_for_openshift_container_platform/#idm140179693751856

Section Number and Name: 

Section 6.1 Configuring Port Access

Describe the issue: 

Firewall rules given in 6.1 don't match up with those found in Section 8.2.1 when running cns-deploy under OCP 3.7

Suggestions for improvement: 

Have the list provided in 6.1 match those given by cns-deploy (and brick multiplexing)

Additional information: 

Section 6.1:
On each of the OpenShift nodes that will host the Red Hat Gluster Storage container, add the following rules to /etc/sysconfig/iptables in order to open the required ports:
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24007 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24008 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2222 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m multiport --dports 49152:49664 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 24010 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 3260 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
Note

Port 24010 and 3260 are for gluster-blockd and iSCSI targets respectively.

cns-deploy....:
Each of the nodes that will host GlusterFS must also have appropriate firewall
rules for the required GlusterFS ports:
 * 111   - rpcbind (for glusterblock)
 * 2222  - sshd (if running GlusterFS in a pod)
 * 3260  - iSCSI targets (for glusterblock)
 * 24006 - glusterblockd
 * 24007 - GlusterFS Management
 * 24008 - GlusterFS RDMA
 * 49152 to 49251 - Each brick for every volume on the host requires its own
   port. For every new brick, one new port will be used starting at 49152. We
   recommend a default range of 49152-49251 on each host, though you can adjust
   this to fit your needs.

Please ask development for the correct Firewall rules.
Comment 2 Thom Carlin 2018-03-02 21:02:03 UTC 
The OCP 3.7 list has 24006 for glusterblockd but https://bugzilla.redhat.com/show_bug.cgi?id=1483827 deprecates 24006 for 24010.

Creating separate bz to track cns-deploy issue and will link it in...
Note You need to log in before you can comment on or make changes to this bug.