origin: oc cluster - pods can't resolve public DNS records on Fedora 24

In oc cluster, pods can’t resolve public DNS records. This is most probably iptables related issue. Because after running iptables -F before oc cluster up it works as it suppose to.

For me this only happens on Fedora 24. Also more people like @josefkarasek experience the same issue there. On my second laptop (Arch linux), all works fine.

@csrwng This is the issue we talked about on IRC. I am happy to provide more information, just let me know which one.

I am running latest master (v1.3.0-alpha.2+9ac6923-dirty), although I don’t believe it makes difference.

About this issue

Original URL
State: closed
Created 8 years ago
Comments: 18 (15 by maintainers)

Most upvoted comments

The simplest command I have so far are to open the 8443/tcp and 53/udp ports on your default zone:

firewall-cmd --add-port=8443/tcp --add-port=53/udp

and if you’re happy doing that, then make it permanent:

firewall-cmd --permanent --add-port=8443/tcp --add-port=53/udp

If you want to limit traffic by source ip, you could create a new zone:

firewall-cmd --permanent --new-zone=openshift
firewall-cmd --permanent --zone=openshift --add-source=172.0.0.0/8
firewall-cmd --permanent --zone=openshift --add-port=8443/tcp --add-port=53/udp
firewall-cmd --reload

csrwng on Jan 4, 2017

I installed a minimal F24 VM, scp’d oc, run oc cluster up, and hit an issue @csrwng says may be this one. I did have to run:

firewall-cmd --zone=public --add-port=8443/tcp --permanent
firewall-cmd --reload

To get the web console available after it came up.

eparis on Aug 17, 2016

The simplest command I have so far are to open the 8443/tcp and 53/udp ports on your default zone

Is there some way to add this to the other rules that oc cluster up applies? The post-flush iptables output shows a bunch of new rules that are introduced when we run the command, so I would gather that we already have instrumentation in place to modify iptables…

nhr on Jan 5, 2017