OpenShift w/ service catalog fails to start with default firewall settings in CentOS

[galderz]

OpenShift cluster with service catalog should be able to start with default firewall settings on CentOS 7.5. With OpenShift 3.9 or 3.7.1 it does not.

OpenShift cluster, without service catalog, starts fine with default firewall settings.

With service catalog, it fails to do so: OpenShift logs are here and docker logs here.

[jwforres]

@openshift/team-service-catalog

[jpeeler]

I have a feeling you have firewalld enabled, but have not added the necessary rules to allow proper access. The lines are documented in https://github.com/openshift/origin/blob/release-3.9/docs/cluster_up_down.md. Try the following and then run cluster up:

docker network inspect -f "{{range .IPAM.Config }}{{ .Subnet }}{{end}}" bridge
172.17.0.0/16

If your bridge IP range does not match above, make sure to change it for the commands below:

firewall-cmd --permanent --new-zone dockerc
firewall-cmd --permanent --zone dockerc --add-source 172.17.0.0/16
firewall-cmd --permanent --zone dockerc --add-port 8443/tcp
firewall-cmd --permanent --zone dockerc --add-port 53/udp
firewall-cmd --permanent --zone dockerc --add-port 8053/udp
firewall-cmd --reload

[galderz]

Why do you need to fiddle with the firewall when access is happening from the same machine?

[jpeeler]

I assume because the docker interface is not added to a trusted zone by default. Did you have success with the above configuration?

[galderz]

I've not tried it. I don't have access to my machine right now. At the time I just simply disabled firewall.

[jpeeler]

I found reading over moby/moby#16137 (comment) was interesting (particularly about warnings reported by firewalld as expected). Since everything is working as intended, I'm closing this. Reopen if you find the firewalld configuration to not solve the problem.

[turgutfincan]

thank you