Bug 1014616

Summary: The default iptables configuration prevents the engine from communication with the host
Product: Red Hat Enterprise Virtualization Manager Reporter: Roman Hodain <rhodain>
Component: ovirt-hosted-engine-setupAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED ERRATA QA Contact: movciari
Severity: high Docs Contact:
Priority: urgent    
Version: 3.3.0CC: acathrow, alonbl, didi, iheim, oschreib, pstehlik, rhodain, sbonazzo
Target Milestone: ---   
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: ovirt-hosted-engine-setup-1.0.0-0.6.beta1.el6ev Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 16:54:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roman Hodain 2013-10-02 12:05:33 UTC 
Description of problem:
   ovirt-hosted-engine-setup configures the firewall during the installation process in the following way:

# cat /usr/share/ovirt-hosted-engine-setup/templates/iptables.default.in
# Generated by ovirt-hosted-engine-setup installer
#filtering rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
@CUSTOM_RULES@
#drop all rule
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Version-Release number of selected component (if applicable):
   ovirt-hosted-engine-setup-1.0.0-0.4.beta.el6ev.noarch

How reproducible:
   100%

Steps to Reproduce:
1. Let the ovirt-hosted-engine-setup to configure the IP tables
2. Install the manager


Actual results:
   Host is non responsive and the setup scripts reads:
      Still waiting for VDSM host to become operational...

Expected results:
   Host is UP

Additional info:
We have to open port 54321. The communication does not go via LO device but from vnet0 to rhevm

# brctl show
bridge name	bridge id		STP enabled	interfaces
;vdsmdummy;		8000.000000000000	no		
rhevm		8000.ac162db11b78	no		eth0
							vnet0
Comment 1 Sandro Bonazzola 2013-10-02 12:59:11 UTC 
I'm not sure it's actually an ovirt-hosted-engine-setup bug.
ovirt-hosted-engine-setup changes iptables rules only untill the host is added to the engine. 
When it adds the host it should be ovirt-host-deploy that take care to change iptables rules in order to have the host properly configured.
In all-in-one plugin we configure iptables during setup and disable the iptables configuration on host-deploy through SDK. But here we're not disabling that configuration.
Alon can you help figuring out what is happening?
Roman can you attach the log from host-deploy?
Comment 6 Alon Bar-Lev 2013-10-04 21:06:54 UTC 
NETWORK/iptablesEnable=bool:'False' - host-deploy will not setup iptables.
NETWORK/firewalldEnable=bool:'False' - host-deploy will not setup firealld.
Comment 7 Sandro Bonazzola 2013-10-09 15:37:14 UTC 
patch merged upstream on master and 1.0 branch
Comment 9 Charlie 2013-11-28 01:19:25 UTC 
This bug is currently attached to errata RHBA-2013:15257. If this change is not to be documented in the text for this errata please either remove it from the errata, set the requires_doc_text flag to 
minus (-), or leave a "Doc Text" value of "--no tech note required" if you do not have permission to alter the flag.

Otherwise to aid in the development of relevant and accurate release documentation, please fill out the "Doc Text" field above with these four (4) pieces of information:

* Cause: What actions or circumstances cause this bug to present.
* Consequence: What happens when the bug presents.
* Fix: What was done to fix the bug.
* Result: What now happens when the actions or circumstances above occur. (NB: this is not the same as 'the bug doesn't present anymore')

Once filled out, please set the "Doc Type" field to the appropriate value for the type of change made and submit your edits to the bug.

For further details on the Cause, Consequence, Fix, Result format please refer to:

https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes 

Thanks in advance.
Comment 10 Sandro Bonazzola 2013-12-05 10:58:38 UTC 
hosted engine is a new package, does not need errata for specific bugs during its development.
Comment 11 errata-xmlrpc 2014-01-21 16:54:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0083.html