Bug 1689857 - The instance security group do not have 'echo request' rule for ICMP in Inbound
Summary: The instance security group do not have 'echo request' rule for ICMP in Inbound
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.0
Hardware: All
OS: All
Target Milestone: ---
: 4.1.0
Assignee: Casey Callendrello
QA Contact: zhaozhanqi
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-18 09:54 UTC by zhaozhanqi
Modified: 2020-01-16 10:15 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-04 10:46:01 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:46:06 UTC

Description zhaozhanqi 2019-03-18 09:54:07 UTC
Description of problem:
When setup the openshift cluster 4.0 on AWS. The master and workers cannot ping each other using the internal-ip.

Found the security group only have 'echo reply' rule in 'Inbound'. When I added the 'echo request' rule by manual. then they are able to ping each other.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. see the Description

Actual results:

master and workers cannot ping using the internal-ip each other, thus it makes hard when debugging some issue.

Expected results:
master and workers can ping each other.

Additional info:
I checked one blog https://charity.wtf/2016/04/14/scrapbag-of-useful-terraform-tips
The from_port should be 8 other than 0 in the openshift-installer/data/data/aws/vpc/sg-worker.tf
  resource "aws_security_group_rule" "worker_ingress_icmp" {
  type              = "ingress"
  security_group_id = "${aws_security_group.worker.id}"

  protocol    = "icmp"
  cidr_blocks = [""]
  from_port   = 0
  to_port     = 0

Comment 1 Nick Stielau 2019-03-18 17:27:29 UTC
Can you describe the impact of this?  Is the cluster functional?  Is it harder to debug?  Perhaps use the 'As an TYPE_OF_USER, I want to ping between masters and works, so that I can USER_GOAL' format.

Comment 2 Meng Bo 2019-03-19 03:08:15 UTC
Hi Nick,

We(QE) will try to debug the cluster network sometimes, and the node to node connectivity is one of the checkpoint.

Beside above, I'd like to know the reason that we set the `ICMP reply` rule only which may not make the ping works.
And since the nodes will not have the public IP, why we set the cidr block to instead of a vpc internal subnet or another security group?


Comment 3 Casey Callendrello 2019-04-08 14:39:08 UTC
Hang on - if we really block ICMP between nodes, then it's definitely a bug. We 100% need ICMP internal to the VPC to be completely unblocked.

I'm checking now.

Comment 4 Scott Dodson 2019-04-08 19:41:21 UTC
Please let us know what you determine.

Comment 5 Casey Callendrello 2019-04-09 09:05:12 UTC
Filed PR https://github.com/openshift/installer/pull/1550

Comment 7 zhaozhanqi 2019-04-22 07:26:58 UTC
Tested this bug on 4.1.0-0.nightly-2019-04-22-005054, this issue had been fixed.

Comment 10 errata-xmlrpc 2019-06-04 10:46:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.