Bug 1613066
| Summary: | Reboot of v3.10 master looses iptables rules/chain | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Øystein Bedin <obedin> | ||||||
| Component: | Installer | Assignee: | Russell Teague <rteague> | ||||||
| Status: | CLOSED NOTABUG | QA Contact: | Johnny Liu <jialiu> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 3.10.0 | CC: | aos-bugs, jokerman, mmccomas, obedin | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | 3.10.z | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2018-08-08 20:40:13 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Øystein Bedin
2018-08-06 22:32:06 UTC
Created attachment 1473789 [details]
before reboot iptables output
Created attachment 1473790 [details]
after reboot iptables output
Note in the attached files how 'OS_FIREWALL_ALLOW' chain is not there after the reboot, and hence missing important rules like the ones for 443, 2379, etc. Unless I'm missing something, this seems broken to me. Considering how the nodes aren't re-registering and the web console isn't accessible, I'm suspecting that this is a bug. Running iptables-restore fixes the issue, but I'm not sure if it may be introducing some other issues:
> iptables-restore < /etc/sysconfig/iptables
What's the status of `iptables` service post reboot? From what I recall, "firewalld" was not running post-install and "iptables" was active. However, now, post-reboot, I see "firewalld" running and "iptables" deactivated. Any chance something external is affect that state? The service should be enabled. https://github.com/openshift/openshift-ansible/blob/master/roles/os_firewall/tasks/iptables.yml#L30-L40 The task outlined in the link above (iptables.yml) does not run at all. I captured the output of a run and the "Start and enable iptables service" task is not part of the "openshift-ansible" run output. Also, here's the state of "iptables" and "firewalld" after install, BEFORE reboot: > systemctl status iptables iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled) Active: inactive (dead) > systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) Thanks, we'll look at it. If complete logs from ansible-playbook and an inventory are available that will help explain why the tasks were skipped. @Øystein, The os_firewall role is run once as part of the prerequisites.yml playbook. This is why you are not seeing the task mentioned above in your playbook run. As part of an install, the prerequisites.yml playbook should be run before deploy_cluster.yml. https://docs.openshift.com/container-platform/3.10/install/running_install.html#running-the-advanced-installation-rpm Please run prerequisites.yml and see if this problem persists. @Russell - ahh, yes, that's probably it. I will give it another try with prerequisites before deployment. Sorry for missing that part. @Russell + @Scott - thank you, that was it. |