IBM Support

Outbound Request from Script Package Fails with Connection Error on PureApplication System

Troubleshooting


Problem

Script packages executed during PureApplication System pattern deployment may fail when issuing outbound requests such as HTTP GETs.

Symptom

Error messages in the script package system output may include "operation not permitted" from commands that require outbound network connectivity. For example, if the script package is issuing ping and trace route to debug network connection failures to server xxx.yyy.zzz.113, the following output may indicate the outbound request is not allowed:

PING xxx.yyy.zzz.113 (xxx.yyy.zzz.113) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

traceroute to xxx.yyy.zzz.113 (x.y.z.113), 30 hops max, 60 byte packets
send: Operation not permitted

The same script package executed on the virtual machine after deployment completes may be able to make the outbound connection successfully.

Cause

The virtual machine activation steps perform additional setup after user script packages run, including updating the firewall on the virtual machine. The default initial firewall policy allows all outgoing connections on the loopback address, 127.0.0.1, and SSH, DNS, and NTP outbound connections on any interface.

Diagnosing The Problem

To confirm the cause of failure to make an outbound connection is the firewall configuration, temporarily test disabling the firewall in the script package.

Switch to the root userid before executing these commands; you must be root for the commands to work properly.


Linux: service iptables stop

AIX: mkfilt -d




There are additional ways to check outbound connections. These may be useful to add to the script during debugging, or to run manually if the script fails not only during deployment, but also when run manually after deployment has completed:

  • wget http://<ip_address>:<port>

A successful wget will yield:
--yyyy-mm-dd hh:mm:ss-- http://<ip_address>:<port>
Connecting to <ip_address>:<port>... connected.
HTTP request sent, awaiting response.... <http_return_code> for example 200 OK, or 403 Forbidden
Length: <length>

  • curl -v telnet://<ip_address>:<port>

Successful output may include:
* About to connect() to <ip_address> port <port>
* Trying <ip_address>... connected
  • telnet <ip_address> <port>

Successful output may just mean there is a prompt displayed.

  • iptables -L -n -v | grep <port>

If no results are returned, the port <port> has not been opened. If the port has been opened but the wget or cur

Resolving The Problem

Make a copy of the script and modify it so instead of stopping the firewall, it opens the port required for the outbound request. For example, for an HTTP request on port 80 on a Linux virtual machine, a command to open port 80 on the firewall may address the issue:

/sbin/iptables -I OUTPUT -p tcp --dport 80 -m tcp --destination ${FILE_SERVER} -j ACCEPT .

[{"Product":{"code":"SSM8NY","label":"PureApplication System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Virtual images","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.2.0.0;2.1.2.1;2.1.2.0;2.1.1.0;2.1.0.2;2.1.0.1;2.1.0.0;2.0.0.1;2.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

More support for:
PureApplication System

Software version:
2.2.0.0, 2.1.2.1, 2.1.2.0, 2.1.1.0, 2.1.0.2, 2.1.0.1, 2.1.0.0, 2.0.0.1, 2.0

Document number:
513719

Modified date:
15 June 2018

UID

swg21676233

Manage My Notification Subscriptions

Page Feedback