Bug 1109326

Summary: 3.4 upgrade does not set correct iptables rules when serving ISO domain from RHEV-M host
Product: Red Hat Enterprise Virtualization Manager Reporter: Thom Carlin <tcarlin>
Component: ovirt-engine-setupAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Pavel Stehlik <pstehlik>
Severity: high Docs Contact:
Priority: high    
Version: 3.4.0CC: aberezin, amureini, audgiri, bazulay, dfediuck, didi, dkuznets, dornelas, ecohen, gwatson, herrold, iheim, lbopf, lpeer, lveyde, mkalinin, pstehlik, rbalakri, Rhev-m-bugs, sbonazzo, sherold, stirabos, wdaniel, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: 3.5.0   
Hardware: All   
OS: All   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
During upgrades, if automatic firewall configuration with iptables was chosen, NFS server ports were closed off. This caused problems for NFS storage domains. Now, NFS status is checked before iptables configuration is generated.
 Story Points: ---
Clone Of:
: 1157678 (view as bug list) Environment:
Last Closed: 2015-02-11 18:03:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1133612, 1157678    

Description Thom Carlin 2014-06-13 16:41:33 UTC 
Description of problem:

If automatic firewall configuration is chosen, NFS server ports are closed off.  This causes problems for NFS storage domains.

Version-Release number of selected component (if applicable):

3.4

How reproducible:

Every time

Steps to Reproduce:
1. On a 3.3 RHEV-M system acting as a NFS server for storage domain
2. Upgrade RHEV-M to 3.4, taking defaults
3. Try to access NFS storage domain from hypervisor

Actual results:

Timeout

Expected results:

Access to storage domain

Additional info:

This could be viewed as a bug or as an RFE.  In my case, I encountered it on an ISO domain.
Comment 1 Thom Carlin 2014-06-13 16:47:45 UTC 
Diagnosing the error may be difficult.  Once you do, an easy workaround is to add the appropriate iptables rules after the fact.
Comment 3 Itamar Heim 2014-09-09 16:15:19 UTC 
sandro - please verify for:
1. clean install 3.3 with ISO domain and firewall, check rules, upgrade to 3.4 (with reconfigure firewall), check rules.
2. same from 3.4 to 3.5...
Comment 5 Sandro Bonazzola 2014-09-11 11:32:41 UTC 
Simone is taking care of trying to reproduce the issue. Moving the needinfo on him.
Comment 6 Simone Tiraboschi 2014-09-11 15:10:45 UTC 
Reproduced.
Upgrading from 3.3.4 to 3.4.2 it loses this rules:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6100 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:662 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:662 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:875 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:875 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:892 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:892 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:32769 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32803
Comment 12 Dima Kuznetsov 2014-09-28 14:50:30 UTC 
Hey, Simone.
I am using recent master rpms, and I have some problems with running engine-setup, it fails with the following message (pretty much default on all options):
[ ERROR ] Failed to execute stage 'Setup validation': 'str' object has no attribute 'review_config'

And this is the trace from the log:
2014-09-28 14:15:36 DEBUG otopi.context context._executeMethod:138 Stage validation METHOD otopi.plugins.ovirt_engine_setup.base.network.firewall_manager.Plugin._review_config
2014-09-28 14:15:36 DEBUG otopi.context context._executeMethod:152 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/otopi/context.py", line 142, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/base/network/firewall_manager.py", line 247, in _review_config
    manager.review_config()
AttributeError: 'str' object has no attribute 'review_config'
2014-09-28 14:15:36 ERROR otopi.context context._executeMethod:161 Failed to execute stage 'Setup validation': 'str' object has no attribute 'review_config'

Could it be somehow related to http://gerrit.ovirt.org/#/c/33085/ ?

Thanks
Comment 13 Simone Tiraboschi 2014-09-29 09:48:41 UTC 
Yes, it's a fault of mine. I added a patch to address that case. Thanks.
Comment 14 Yedidyah Bar David 2014-10-13 06:14:41 UTC 
*** Bug 1071306 has been marked as a duplicate of this bug. ***
Comment 16 Arthur Berezin 2014-10-26 09:20:37 UTC 
Moving this to Scott.
Comment 17 Scott Herold 2014-10-27 12:53:30 UTC 
Added to 3.4.4 tracker
Comment 20 Petr Beňas 2014-10-30 10:02:15 UTC 
in vt8
Comment 23 errata-xmlrpc 2015-02-11 18:03:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html