IZ
ты гластеру скармливаешь block storage?
Size: a a a
2018 April 17
IZ
они у тебя прописаны?
A
Igor Zachinyaev
ты гластеру скармливаешь block storage?
да, целыми дисками отдаю
да, прописаны
да, прописаны
A
Igor у вас на гластер нодах есть докер?
A
упало...
код ошибки:
"fatal: [master01.example.com]: FAILED! => {"changed": true, "cmd": ["oc", "--config=/tmp/openshift-glusterfs-ansible-mb1uNb/admin.kubeconfig", "rsh", "--namespace=glusterfs", "deploy-heketi-storage-1-ph25d", "heketi-cli", "-s", "http://localhost:8080", "--user", "admin", "--secret", "bnh0Uh+9iya5KB5QSp81OzyZC8jsCH8jxaepnqImV6w=", "topology", "load", "--json=/tmp/openshift-glusterfs-ansible-mb1uNb/topology.json", "2>&1"], "delta": "0:00:08.665643", "end": "2018-04-17 12:50:52.840797", "failed_when_result": true, "rc": 0, "start": "2018-04-17 12:50:44.175154", "stderr": "", "stderr_lines": [], "stdout": "Creating cluster ... ID: f01ec06401677b769731ff29aa58b084\n\tAllowing file volumes on cluster.\n\tAllowing block volumes on cluster.\n\tCreating node gluster01.example.com ... ID: 20323a059bdb481bc56afcb7e65fb5cd\n\t\tAdding device /dev/sdb ... OK\n\t\tAdding device /dev/sdc ... OK\n\tCreating node gluster02.example.com ... Unable to create node: peer probe: failed: Probe returned with Transport endpoint is not connected\n\tCreating node gluster03.example.com ... ID: e2d0eac40ca9c23248d667eb5b93ffbe\n\t\tAdding device /dev/sdb ... OK\n\t\tAdding device /dev/sdc ... OK", "stdout_lines": ["Creating cluster ... ID: f01ec06401677b769731ff29aa58b084", "\tAllowing file volumes on cluster.", "\tAllowing block volumes on cluster.", "\tCreating node gluster01.example.com ... ID: 20323a059bdb481bc56afcb7e65fb5cd", "\t\tAdding device /dev/sdb ... OK", "\t\tAdding device /dev/sdc ... OK", "\tCreating node gluster02.example.com ... Unable to create node: peer probe: failed: Probe returned with Transport endpoint is not connected", "\tCreating node gluster03.example.com ... ID: e2d0eac40ca9c23248d667eb5b93ffbe", "\t\tAdding device /dev/sdb ... OK", "\t\tAdding device /dev/sdc ... OK"]}"
код ошибки:
"fatal: [master01.example.com]: FAILED! => {"changed": true, "cmd": ["oc", "--config=/tmp/openshift-glusterfs-ansible-mb1uNb/admin.kubeconfig", "rsh", "--namespace=glusterfs", "deploy-heketi-storage-1-ph25d", "heketi-cli", "-s", "http://localhost:8080", "--user", "admin", "--secret", "bnh0Uh+9iya5KB5QSp81OzyZC8jsCH8jxaepnqImV6w=", "topology", "load", "--json=/tmp/openshift-glusterfs-ansible-mb1uNb/topology.json", "2>&1"], "delta": "0:00:08.665643", "end": "2018-04-17 12:50:52.840797", "failed_when_result": true, "rc": 0, "start": "2018-04-17 12:50:44.175154", "stderr": "", "stderr_lines": [], "stdout": "Creating cluster ... ID: f01ec06401677b769731ff29aa58b084\n\tAllowing file volumes on cluster.\n\tAllowing block volumes on cluster.\n\tCreating node gluster01.example.com ... ID: 20323a059bdb481bc56afcb7e65fb5cd\n\t\tAdding device /dev/sdb ... OK\n\t\tAdding device /dev/sdc ... OK\n\tCreating node gluster02.example.com ... Unable to create node: peer probe: failed: Probe returned with Transport endpoint is not connected\n\tCreating node gluster03.example.com ... ID: e2d0eac40ca9c23248d667eb5b93ffbe\n\t\tAdding device /dev/sdb ... OK\n\t\tAdding device /dev/sdc ... OK", "stdout_lines": ["Creating cluster ... ID: f01ec06401677b769731ff29aa58b084", "\tAllowing file volumes on cluster.", "\tAllowing block volumes on cluster.", "\tCreating node gluster01.example.com ... ID: 20323a059bdb481bc56afcb7e65fb5cd", "\t\tAdding device /dev/sdb ... OK", "\t\tAdding device /dev/sdc ... OK", "\tCreating node gluster02.example.com ... Unable to create node: peer probe: failed: Probe returned with Transport endpoint is not connected", "\tCreating node gluster03.example.com ... ID: e2d0eac40ca9c23248d667eb5b93ffbe", "\t\tAdding device /dev/sdb ... OK", "\t\tAdding device /dev/sdc ... OK"]}"
A
o_O к 3 ноде все ок, ко второй транспорт недоступен. как только отключаешь фаерволл - все ок
IZ
А посмотри правила iptables
A
default ACCEPT
IZ
это потом, после отключения?
IZ
засвети сюда /etc/sysconfig/iptables
A
с какой ноды?
IZ
с любой, на которой glaster и не отключен iptables
A
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
COMMIT
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
COMMIT
A
я такое раньше встречал...просто во время установки периодически отключал iptables и типо все ок...или писал руками туда правила
IZ
файлик у тебя мягко скажем пустой
A
ну...голый цент, накатан только гластер и все. далее накатывается облако...как я понимаю, оно все равно правила перезаписывает
A
или нет?
IZ
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Apr 16 21:14:35 2018
*nat
:PREROUTING ACCEPT [2:784]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
:DOCKER - [0:0]
-A PREROUTING -m addrtype —dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype —dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Mon Apr 16 21:14:35 2018
# Generated by iptables-save v1.4.21 on Mon Apr 16 21:14:35 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack —ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
-A DOCKER-ISOLATION -j RETURN
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 2379 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 2380 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 8443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 8444 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 8053 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state —state NEW -m udp —dport 8053 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 10250 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state —state NEW -m udp —dport 4789 -j ACCEPT
COMMIT
типичный мастер, совмещенный с нодой
# Generated by iptables-save v1.4.21 on Mon Apr 16 21:14:35 2018
*nat
:PREROUTING ACCEPT [2:784]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
:DOCKER - [0:0]
-A PREROUTING -m addrtype —dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype —dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Mon Apr 16 21:14:35 2018
# Generated by iptables-save v1.4.21 on Mon Apr 16 21:14:35 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22 -j ACCEPT
-A INPUT -j OS_FIREWALL_ALLOW
-A INPUT -j REJECT —reject-with icmp-host-prohibited
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack —ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
-A DOCKER-ISOLATION -j RETURN
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 2379 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 2380 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 8443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 8444 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 8053 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state —state NEW -m udp —dport 8053 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 10250 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 80 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state —state NEW -m tcp —dport 443 -j ACCEPT
-A OS_FIREWALL_ALLOW -p udp -m state —state NEW -m udp —dport 4789 -j ACCEPT
COMMIT
типичный мастер, совмещенный с нодой
IZ
все правила генерятся инсталлером
A
т.е. бесполезно заранее конфигурировать правила?