Bug 1614863 - ShiftStack installer doesn't open cri-o stream port (10010/tcp)
Summary: ShiftStack installer doesn't open cri-o stream port (10010/tcp)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.1.0
Assignee: egarcia
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-10 14:50 UTC by Eduardo Minguez
Modified: 2019-06-04 10:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Cause: 10010/tcp port not open Consequence: Unable to do `oc exec` or `oc rsh` Fix: Create firewall rule for 10010/tcp in openstack Result: `oc rsh` and `oc exec` reachable
Clone Of:
Environment:
Last Closed: 2019-06-04 10:40:34 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:40:41 UTC

Description Eduardo Minguez 2018-08-10 14:50:23 UTC
Description of problem:

According to https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_openstack/defaults/main.yml cri-o port 10010/tcp is not opened (https://bugzilla.redhat.com/show_bug.cgi?id=1583640) and it should be required to be able to do 'oc exec' and 'oc rsh'

Version-Release number of the following components:
o-a master branch

How reproducible:
I've not tested it but creating a cri-o based ocp on osp using the shiftstack installer

Steps to Reproduce:
1.
2.
3.

Actual results:
It looks like port 10010/tcp is not opened when using cri-o

Expected results:
Port 10010/tcp opened only if using cri-o

Additional info:

https://bugzilla.redhat.com/show_bug.cgi?id=1583640

Comment 1 Tomas Sedovic 2018-09-18 16:04:37 UTC
Assigning to Emilio who I believe is looking at the open ports situation in the provisioning playbooks now.

Emilio, if that's not correct, let me know.

Comment 3 egarcia 2018-11-27 14:46:00 UTC
Reassigning to Eduardo, since he fixed the bug

Comment 6 weiwei jiang 2018-12-21 09:28:26 UTC
Checked with openshift-ansible-4.0.0-0.101.0, and this has heen fixed.

TASK [container_runtime : Add iptables allow rules] ****************************************************************************************************************************************************************************************************************************
task path: /home/openshift/openshift-ansible/roles/container_runtime/tasks/crio_firewall.yml:4
Friday 21 December 2018  17:23:39 +0800 (0:00:01.444)       0:11:39.057 *******
changed: [master-1.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]}                                                                               
changed: [infra-node-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]}                                                                           
changed: [master-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]}                                                                               
changed: [app-node-0.wjiang-ocp.example.com] => (item={'service': 'crio', 'port': '10010/tcp'}) => {"changed": true, "item": {"port": "10010/tcp", "service": "crio"}, "output": ["", "Successfully created chain OS_FIREWALL_ALLOW", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n", "", "iptables: Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]\r\n"]} 

[openshift@master-0 ~]$ cat /etc/crio/crio.conf|grep -i 10010
stream_port = "10010"

[openshift@master-0 ~]$ sudo ss -4lnt
State      Recv-Q Send-Q                                                                                           Local Address:Port                                                                                                          Peer Address:Port              
LISTEN     0      5                                                                                                 192.168.99.8:53                                                                                                                       *:*                  
LISTEN     0      128                                                                                                          *:22                                                                                                                       *:*                  
LISTEN     0      100                                                                                                  127.0.0.1:25                                                                                                                       *:*                  
LISTEN     0      128                                                                                               192.168.99.8:10010                                                                                                                    *:*

Comment 9 errata-xmlrpc 2019-06-04 10:40:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.