Closed simon3z closed 8 years ago
Don't you need to set --host-network=true?
Don't you need to set --host-network=true?
No, there's not need to use the host network (otherwise you can't do the redirection at all). Editing the dc manually (adding the hostPort
) solves the issue.
The --ports does not seem to open a specified host port, but is mapping a specified port to service.
oadm router --replicas=1 --service-account=router routerc --host-network=false --ports="80:10080,443:10443"
oc get svc routerc
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
routerc 172.30.99.118 <none> 10080/TCP,10443/TCP,1936/TCP 2m
Host ports default to container ports only when you use host network.
@ramr Can you just validate that this is behaving as expected?
For clarity --host-network=true
is not a workaround or a viable alternative for three reasons:
The real (working) workaround is to manually editing the deploymentConfig
of the router adding the relevant hostPort
value.
This is a regression from the behavior we had in 3.1 (where hostPort
was correctly added).
cc @deads2k
@simon3z this was specifically changed in commit: https://github.com/openshift/origin/commit/241d02b8e89d492ad680559e56bb1549c9985c34 to not expose host ports and run with lesser privileges (just hostnetwork scc for admin routers and just something that allows etcd view/list access to routes/endpoints for user routers]).
So in the case of running the router with host networking and the hostnetwork scc, you can already bind to those ports on the host network stack, so that one's a given. In container networking mode, we want to be able to run with a lesser set of privileges (aka as a regular and not admin user) and so the rationale out here is to not expose host ports as it requires a higher permission set.
So for your specific case, you can either do this via:
Example:
oadm router --latest-images --host-network=false
oc create -f
https://gist.githubusercontent.com/ramr/43f55948461df51cc8ffe01530af0ce7/raw/7ebab70c691692a2ecb5ad39db3aa092a65d35be/nodeport-router-yaml
And in both cases, whether its port 5000 or as the above example goes 30405, you would still need to punch a hole in firewall for that.
@ramr the oadm router
help states:
--ports='80:80,443:443': A comma delimited list of ports or port pairs to expose on the router pod. The default is set for HAProxy
So, if I am specifying a hostPort
I expect that to be honored (as it was in the past).
The fact that by default you want to use a service account that can't use an hostPort
is unrelated, because the user can specify a different service account (--service-account
) that has that permission.
So in the case of running the router with host networking and the hostnetwork scc, you can already bind to those ports on the host network stack, so that one's a given.
With --host-network=true
you can't do redirection:
# oadm router test1 --host-network=true --ports='5000:443'
error: For host networking mode, please ensure that the container [5000] and host [443] ports match
And in both cases, whether its port 5000 or as the above example goes 30405, you would still need to punch a hole in firewall for that.
With --host-network=false
you don't have to punch a hole in firewall because the nat
table redirection takes place before filtering.
Current situation is:
--host-network=true
I can't specify a different port with --ports='5000:443
(see above)--host-network=false
the ports I am specifying with --ports='5000:443
are not taken in account (even when using a service account that has access to hostPort
).For us this is a serious regression.
@ramr @smarterclayton @knobunc This looks like a significant and breaking change to our CLI that makes previously simple flows harder. We've just invalidated the instructions for installing CloudForms without giving any easy replacement.
I see these choices:
If we choose option 1, is it even possible to express the changes that are needed in terms of our oc patch
CLI command or would we be forcing people down into the interactive oc edit
mode?
We intended to drop support for hostPorts on routers. Firewall punching seems one argument - can you describe why you need firewall punching?
Actually, my bigger question is - how are you installing OpenShift? Is this for dev mode?
We intended to drop support for hostPorts on routers. Firewall punching seems one argument - can you describe why you need firewall punching?
Previously, he was able to successfully install his router using the openshift API without having to make corresponding changes on the nodes themselves. Requiring a firewall update requires him to have the authority and the tooling to make that change as well.
NodePort service (port range is a bit restrictive 30000-32767 however).
I'm pretty sure that a port other than 5000 defeats the purpose of the remapping that he's attempting to perform.
Remapping routers to arbitrary ports has never been support as part of the product. We'll keep backwards compatibility on the behavior, but users should know this is not a supported path for other reasons (no way to know what ports the resources are on). Host ports are not a recommended way to do anything, although they're a useful tool in dev / test clusters. Routers running on host-ports is not supported officially, just within the bounds of "if you do things, they work".
When running:
The resulting dc is not configured with the
hostPort
(5000):Version
origin-1.1.4-0.git.0.9d8230b.el7.centos.x86_64 oc v1.1.4 kubernetes v1.2.0-origin-41-g91d3e75
Steps To Reproduce
Provided above.
Current Result
The
hostPort
is not configured (it was in the past).Expected Result
The
hostPort
should be configured:cc @deads2k