Bug 1075687 (ovirt_setup_firewalld_support)

Summary: [RFE] Add FirewallD support to hosted-engine setup
Product: [oVirt] ovirt-hosted-engine-setup Reporter: Martin Pavlik <mpavlik>
Component: RFEsAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED CURRENTRELEASE QA Contact: Nikolai Sednev <nsednev>
Severity: low Docs Contact:
Priority: medium    
Version: ---CC: alukiano, aristotleahito, bugs, didi, dmoessne, dougsland, gcheresh, justin.brown, mavital, mburman, mpavlik, mperina, rbalakri, sbonazzo, srevivo, stirabos, ylavi
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---Flags: ylavi: ovirt-future?
ylavi: planning_ack?
ylavi: devel_ack?
ylavi: testing_ack?
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Add FirewallD support to hosted-engine setup Reason: Result (if any):
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-06 12:18:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 995362    
Bug Blocks:    
Attachments:
Description Flags
logs none

Description Martin Pavlik 2014-03-12 15:21:54 UTC 
Description of problem:
When trying to deploy self hosted engine using command

hosted-engine --deploy

it fails with 

[ ERROR ] Failed to execute stage 'Environment setup': Command '/bin/systemctl' failed to execute

in /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20140312153801.log

we can see

2014-03-12 15:41:12 DEBUG otopi.context context.dumpEnvironment:478 ENV NETWORK/firewalldAvailable=bool:'False'

despite the fact firewalld is available and running

[root@dell-r210ii-08 ~]# /bin/systemctl | grep firewall
firewalld.service           loaded active running   firewalld - dynamic firewall daemon


Version-Release number of selected component (if applicable):
[root@dell-r210ii-08 ~]# cat /etc/redhat-release 
Fedora release 19 (Schrödinger’s Cat)

[root@dell-r210ii-08 ~]# rpm -qa | grep otopi
otopi-1.2.0-0.9.rc3.fc19.noarch

[root@dell-r210ii-08 ~]# rpm -qa | grep vdsm
vdsm-4.14.5-0.fc19.x86_64

[root@dell-r210ii-08 ~]# rpm -qa | grep hosted
ovirt-hosted-engine-setup-1.1.1-1.fc19.noarch
ovirt-hosted-engine-ha-1.1.1-1.fc19.noarch

How reproducible:
100%

Steps to Reproduce:
1. yum install ovirt-hosted-engine-setup -y && hosted-engine --deploy

Actual results:
otopi does not detect firewalld service properly

Expected results:
otopi detects firewalld service properly

Additional info:
at the beginning there was a problem with PKI
[ ERROR ] Failed to execute stage 'Environment setup': [Errno 2] No such file or directory: '/etc/pki/libvirt/clientcert.pem'

it can be fixed by

mkdir /etc/pki/libvirt
Comment 1 Alon Bar-Lev 2014-03-16 09:58:15 UTC 
why don't you attach logs?
Comment 2 Martin Pavlik 2014-03-17 08:38:10 UTC 
(In reply to Alon Bar-Lev from comment #1)
> why don't you attach logs?

sorry my bad,

attaching
Comment 3 Martin Pavlik 2014-03-17 08:38:39 UTC 
Created attachment 875375 [details]
logs
Comment 4 Alon Bar-Lev 2014-03-17 15:40:55 UTC 
I kind of think this is on purpose. We do not support host (vdsm) with firewalld.

2014-03-17 09:32:01 DEBUG otopi.context context.dumpEnvironment:478 ENV NETWORK/firewalldEnable=bool:'False'

I leave sandro to close this.
Comment 5 Sandro Bonazzola 2014-03-17 15:50:11 UTC 
(In reply to Alon Bar-Lev from comment #4)
> I kind of think this is on purpose. We do not support host (vdsm) with
> firewalld.

We don't support firewalld on hosted engine host since engine doesn't support firewalld.
But hosted-engine --deploy should not fail with

 [ ERROR ] Failed to execute stage 'Environment setup': Command '/bin/systemctl' failed to execute

because of that.
I've to take a better look at the logs.
Comment 6 Alon Bar-Lev 2014-03-17 15:53:46 UTC 
Please rename bug or open one per issue... and close this one.
Comment 7 Sandro Bonazzola 2014-03-17 16:01:48 UTC 
It failed on vdsmd not on firewalld. And vdsm.log is 0 byte so it seems like bug #1055153 .

So, for the systemctl failure, please refer to bug #1055153

For the firewalld support disabled, going to close this as closed cantfix due to missing support on ovirt-engine deploy to firewalld ( bug #995362 )
Comment 8 Martin Pavlik 2014-03-17 16:19:08 UTC 
(In reply to Sandro Bonazzola from comment #5)
> (In reply to Alon Bar-Lev from comment #4)
> > I kind of think this is on purpose. We do not support host (vdsm) with
> > firewalld.
> 
> We don't support firewalld on hosted engine host since engine doesn't
> support firewalld.
> But hosted-engine --deploy should not fail with
> 
>  [ ERROR ] Failed to execute stage 'Environment setup': Command
> '/bin/systemctl' failed to execute
> 
> because of that.
> I've to take a better look at the logs.


And what will we do when RHEL 7 is out? 

Red Hat Enterprise Linux 7.0 Beta ships with the dynamic firewall daemon, firewalld ( source https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html-single/7.0_Release_Notes/index.html#chap-networking )

I think we need to add this support.
Comment 9 Sandro Bonazzola 2014-03-17 16:27:51 UTC 
AFAIK iptables is still supported on RHEL7. 
I've converted this bug to a RFE for adding FirewallD support when ovirt will support it, but still can't fix this now.
Comment 10 Sandro Bonazzola 2014-06-11 08:11:46 UTC 
*** Bug 1107805 has been marked as a duplicate of this bug. ***
Comment 12 Sandro Bonazzola 2015-09-04 09:02:10 UTC 
This is an automated message.
This Bugzilla report has been opened on a version which is not maintained anymore.
Please check if this bug is still relevant in oVirt 3.5.4.
If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution)
If it's an RFE please update the version to 4.0 if still relevant.
Comment 13 Artyom 2015-09-08 14:15:25 UTC 
Hi Sandro, I can say that we do not have problem with vdsmd service on RHEL7 hosts under 3.5.4, but what about support of firewalld service, have you some information about it?
Comment 14 Sandro Bonazzola 2015-09-14 11:06:19 UTC 
No plans for firewalld support yet, so still valid.
Comment 15 Yaniv Kaul 2017-06-07 21:48:28 UTC 
(In reply to Sandro Bonazzola from comment #14)
> No plans for firewalld support yet, so still valid.

Any updates?
Comment 16 Sandro Bonazzola 2017-06-09 15:04:17 UTC 
(In reply to Yaniv Kaul from comment #15)
> (In reply to Sandro Bonazzola from comment #14)
> > No plans for firewalld support yet, so still valid.
> 
> Any updates?

There are plans to add firewalld configuration using ansible on engine side.
When it will be ready I think hosted-engine setup won't need firewalld support anymore unless we want firewalld being up and running during the initial setup on first host.
Comment 17 Sandro Bonazzola 2017-08-24 09:39:28 UTC 
Simone, Martin, can we move this to modified with the firewalld ansible post-deploy handling?
Comment 18 Martin Perina 2017-09-21 12:49:14 UTC 
AFAIK hosted engine setup is adding host using RESTAPI engine call, so if firewalld is set on the cluster (by default from 4.2), then firewalld is configured, enabled and started during host-deploy flow.

So the only question which comes to mind is: Do hosted engine HA deamons communicate directly over network among themselves and if so, are ports required for this communication included in ports configured by ovirt-host-deploy-firewalld Ansible role [1]?

[1] https://github.com/oVirt/ovirt-ansible/tree/master/roles/ovirt-host-deploy-firewalld/vars
Comment 19 Yedidyah Bar David 2017-09-24 07:00:34 UTC 
hosted-engine --deploy also needs to handle the firewall for the stage before the engine is up.

This used to be particularly important for accessing the engine vm console using spice/vnc, before the appliance flow was introduced and before we moved to connect using virtual serial console.

A quick grep FIREWALLD_SERVICES finds:

1. hosted-console

Can be considered deprecated/obsoleted, since bug 1333449?

2. hosted-cockpit

Obviously still needed, was added for bug 1335426. Anyone knows if anything else handles it these days?

3. hosted-gluster

No idea, perhaps gdeploy handles it.
Comment 20 Yaniv Lavi 2018-06-06 12:18:48 UTC 
This is fixed with node zero deployment in oVirt 4.2.