Bug 1568689 - Install failed when firewalld used
Summary: Install failed when firewalld used
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.10.0
Assignee: Vadim Rutkovsky
QA Contact: Weihua Meng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-18 06:21 UTC by Weihua Meng
Modified: 2018-07-30 19:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-30 19:13:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1570517 0 high CLOSED [3.9.z] Install failed when firewalld used 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2018:1816 0 None None None 2018-07-30 19:13:51 UTC

Internal Links: 1570517

Description Weihua Meng 2018-04-18 06:21:56 UTC 
Description of problem:
Install failed when firewalld used

Version-Release number of the following components:
openshift-ansible-3.10.0-0.22.0.git.0.b6ec617.el7

How reproducible:
Always

Steps to Reproduce:
1. Set up OCP 3.10

Actual results:
TASK [openshift_node : Add firewalld allow rules] ******************************
Wednesday 18 April 2018  01:59:03 -0400 (0:00:00.051)       0:00:53.351 ******* 
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'AnsibleModule' object has no attribute 'fail'
failed: [qe-wmengfw223-node-registry-router-1.0418-ing.qe.rhcloud.com] (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {"changed": false, "failed": true, "item": {"port": "10250/tcp", "service": "Kubernetes kubelet"}, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_kEUDkq/ansible_module_firewalld.py\", line 936, in <module>\n    main()\n  File \"/tmp/ansible_kEUDkq/ansible_module_firewalld.py\", line 788, in main\n    module.fail(msg='firewall is not currently running, unable to perform immediate actions without a running firewall daemon')\nAttributeError: 'AnsibleModule' object has no attribute 'fail'\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'AnsibleModule' object has no attribute 'fail'
failed: [qe-wmengfw223-node-registry-router-2.0418-ing.qe.rhcloud.com] (item={u'port': u'10250/tcp', u'service': u'Kubernetes kubelet'}) => {"changed": false, "failed": true, "item": {"port": "10250/tcp", "service": "Kubernetes kubelet"}, "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_Jqdp6p/ansible_module_firewalld.py\", line 936, in <module>\n    main()\n  File \"/tmp/ansible_Jqdp6p/ansible_module_firewalld.py\", line 788, in main\n    module.fail(msg='firewall is not currently running, unable to perform immediate actions without a running firewall daemon')\nAttributeError: 'AnsibleModule' object has no attribute 'fail'\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: 'AnsibleModule' object has no attribute 'fail'

Expected results:
Install succeeds
Comment 2 Scott Dodson 2018-04-23 13:38:41 UTC 
Weihua,

Can you verify that the hosts were fully updated and rebooted prior to running the installer? There's a problem with dbus in 7.5 that means when we install dnsmasq that dbus is updated and becomes wedged. The only true way to address this is to ensure that your hosts are fully up to date and rebooted before you run the installer.
Comment 3 Weihua Meng 2018-04-23 14:41:34 UTC 
Thanks.
How can I judge it is dbus problem or not?

Which image should I use?

Is dbus problem in qe-rhel-75-20180404 image?

Does the dbus problem only happen to firewalld but not to iptables?

I tried the same installations, the only difference is os_firewall_use_firewalld=true/false.
if true, install fails.
if false, install succeeds.
Comment 4 Scott Dodson 2018-04-23 14:51:03 UTC 
If `yum update` updates dbus then you know you've got to reboot before completing the installation.
Comment 5 Weihua Meng 2018-04-23 15:36:54 UTC 
no dbus in `yum update`.

  Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo)
       CPE OS Name: cpe:/o:redhat:enterprise_linux:7.5:GA:server
            Kernel: Linux 3.10.0-862.el7.x86_64

# rpm -q dbus
dbus-1.10.24-7.el7.x86_64
# systemctl status dbus
● dbus.service - D-Bus System Message Bus
   Loaded: loaded (/usr/lib/systemd/system/dbus.service; static; vendor preset: disabled)
   Active: active (running) since Mon 2018-04-23 11:30:06 EDT; 5min ago
Comment 6 Vadim Rutkovsky 2018-04-23 15:47:39 UTC 
This would occur even with an updated dbus - as we forcibly restart dbus when dnsmasq is being installed (I'll prepare a fix to revert this).
Comment 7 Scott Dodson 2018-04-26 18:51:25 UTC 
To summarize, we require that hosts are yum upgraded and rebooted prior to running the install. We're not going to restart dbus during the installation playbooks.
Comment 8 Vadim Rutkovsky 2018-04-27 08:30:24 UTC 
PR https://github.com/openshift/openshift-ansible/pull/8104

Fix is available in openshift-ansible-3.10.0-0.30.0
Comment 9 Weihua Meng 2018-04-28 02:38:52 UTC 
Fixed.
openshift-ansible-3.10.0-0.30.0

Kernel Version: 3.10.0-862.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo)
Comment 11 errata-xmlrpc 2018-07-30 19:13:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816
Note You need to log in before you can comment on or make changes to this bug.