Description of problem: According to https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_openstack/defaults/main.yml cri-o port 10010/tcp is not opened (https://bugzilla.redhat.com/show_bug.cgi?id=1583640) and it should be required to be able to do 'oc exec' and 'oc rsh' Version-Release number of the following components: o-a master branch How reproducible: I've not tested it but creating a cri-o based ocp on osp using the shiftstack installer Steps to Reproduce: 1. 2. 3. Actual results: It looks like port 10010/tcp is not opened when using cri-o Expected results: Port 10010/tcp opened only if using cri-o Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=1583640
Assigning to Emilio who I believe is looking at the open ports situation in the provisioning playbooks now. Emilio, if that's not correct, let me know.
Reassigning to Eduardo, since he fixed the bug
Checked with openshift-ansible-4.0.0-0.101.0, and this has heen fixed. TASK [container_runtime : Add iptables allow rules] **************************************************************************************************************************************************************************************************************************** task path: /home/openshift/openshift-ansible/roles/container_runtime/tasks/crio_firewall.yml:4 Friday 21 December 2018 17:23:39 +0800 (0:00:01.444) 0:11:39.057 ******* changed: [master-1.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n"]} changed: [infra-node-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n"]} changed: [master-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n"]} changed: [app-node-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]\r\n"]} [openshift@master-0 ~]$ cat /etc/crio/crio.conf|grep -i 10010 stream_port = "10010" [openshift@master-0 ~]$ sudo ss -4lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 5 192.168.99.8:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 192.168.99.8:10010 *:*
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758