Bug 1732171 - The journal gateway public port TCP 19531 on the bootstrap machine using ipi-on-azure is closed
Summary: The journal gateway public port TCP 19531 on the bootstrap machine using ipi-...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Abhinav Dahiya
QA Contact: Johnny Liu
Depends On:
TreeView+ depends on / blocked
Reported: 2019-07-22 21:15 UTC by Etienne Simard
Modified: 2019-07-22 21:17 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-07-22 21:17:18 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Etienne Simard 2019-07-22 21:15:16 UTC
Description of problem:

The port TCP 19531 Inbound is not currently allowed by the `${CLUSTER_NAME}*controlplane-nsg` Security Group in azure.

Version-Release number of the following components:

Cluster ID
OpenShift Version

How reproducible:

Steps to Reproduce:
1. Create Cluster with ipi-on-azure
2. Before the end of the install, confirm that you can ssh to the ${BOOTSTRAP_IP} and then `curl --insecure --cert ${INSTALL_DIR}/tls/journal-gatewayd.crt --key ${INSTALL_DIR}/tls/journal-gatewayd.key 'https://${BOOTSTRAP_IP}:19531/entries?follow&_SYSTEMD_UNIT=bootkube.service'`

Actual results:

$  curl -vvv --insecure --cert ./tls/journal-gatewayd.crt --key ./tls/journal-gatewayd.key 'https://${BOOTSTRAP_IP}:19531/entries?follow&_SYSTEMD_UNIT=bootkube.service'
* Trying ${BOOTSTRAP_IP}...
* connect to ${BOOTSTRAP_IP} port 19531 failed: Connection timed out
* Failed to connect to ${BOOTSTRAP_IP} port 19531: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to ${BOOTSTRAP_IP} port 19531: Connection timed out

$ telnet ${BOOTSTRAP_IP} 19531
Trying ${BOOTSTRAP_IP}...

Check the `${CLUSTER_NAME}*controlplane-nsg` Security Group in azure and you will see that we allow TCP 22 inbound but not 19531

Expected results:

TCP 19531 inbound should exist in `${CLUSTER_NAME}*controlplane-nsg` Security Group

$ telnet ${BOOTSTRAP_IP} 19531
Trying ${BOOTSTRAP_IP}...
Connected to ${BOOTSTRAP_IP}.
Escape character is '^]'.
^CConnection closed by foreign host.

$ curl -vvv --insecure --cert ./tls/journal-gatewayd.crt --key ./tls/journal-gatewayd.key 'https://${BOOTSTRAP_IP}:19531/entries?follow&_SYSTEMD_UNIT=bootkube.service'
* Trying ${BOOTSTRAP_IP}...
* Connected to ${BOOTSTRAP_IP} (${BOOTSTRAP_IP}) port 19531 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* ignoring certificate verify locations due to disabled peer verification
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=OpenShift Bootstrap; CN=journal-gatewayd
* start date: Jul 22 20:18:43 2019 GMT
* expire date: Jul 19 20:18:50 2029 GMT
* issuer: OU=openshift; CN=root-ca
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /entries?follow&_SYSTEMD_UNIT=bootkube.service HTTP/1.1
> Host: ${BOOTSTRAP_IP}:19531
> User-Agent: curl/7.59.0
> Accept: */*
< HTTP/1.1 200 OK
< Connection: Keep-Alive
< Transfer-Encoding: chunked
< Content-Type: text/plain
< Date: Mon, 22 Jul 2019 20:41:27 GMT
Jul 22 20:25:47 qe-esimard-24414-p5cmb-bootstrap bootkube.sh[1502]: Pulling release image...

Additional info:

We should add the following rule (I tested it to get the Expected results)

bootstrap_journal_gateway_in PORT 19531/TCP Source Any, Allow

similar to the current Inbound rule for SSH:

bootstrap_ssh_in  PORT 22/TCP source Any, Allow

Comment 1 Abhinav Dahiya 2019-07-22 21:17:18 UTC
We have moved away from requiring the journald-gateway port to be publicly accessible. in favour of a SSH based debug collector. So for 4.2 platform this port is not required to be public.

Note You need to log in before you can comment on or make changes to this bug.