The virthosts for the new osbs deployment in iad2 listed below cannot call out to the internet. Any call to sites, such as github or google returns with cannot connect to host on port 80/443
I think this may be related to network set up on the underlying host as it seems to effect all of the virthosts.
Whenever you have time
The original build network was set up under a high security environment where builders are not meant to talk to the internet without going through a proxy. We had to put in all kinds of one-off holes to allow things like osbs and other things to work and now I think we are back to figuring them out.
needs to be able to clone https://github.com/openshift/openshift-ansible.git (port 443)
needs to pull container images from registry.redhat.com (port 443).
This is working for the os-control01.iad2, os-master01.iad2 etc ... so we can try to replicate the network configuration we have there.
OK this is done by ip address. How many osbs nodes are there going to be and for what architectures. I will need to get them added by that.
There are the above 4 which are x86 and I think there will be the same again but in aarch64, but @cverna will need to confirm that
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: groomed, medium-gain, medium-trouble
So I think we need port 443 (general https access) and port 8443 (openshift cluster API) open on the following boxes
Then on aarch64 ( vhost not in iad2 yet)
This will also be needed for staging when we have a staging environment in IAD2.
Open in what way that the internet can contact those boxes on 443 or that those boxes can go out to the internet on those ports?
We need to be able to clone a git repository and pull some container images, so I would say that we need for the boxes to be able to go out to the internet on 443.
For the port 8443 this will be needed for koji builders and the aarch64 cluster to reach the x86_64 cluster and for the cluster to communicate between each others. So I think this port needs to be open in both way in and out.
Hope that makes sense.
So 443 to the internet is allowed from all the os*.iad2.fedoraproject.org hosts. I have tested and curl works out to various sites. The osbs nodes are now on the same network zone and should be able to talk to each other on 8443 without a firewall problem.
Thanks smooge, I can verify that port 443 works as I was able to progress on the playbook. I will hopefully be able to verify 8443 tomorrow and if so close the ticket.
This looks like its working now thanks smooge
Metadata Update from @mobrien: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.