Bug 1169178
Summary: | [RHCI] [Install] The permissions required for the internal ISO domain must be clarified | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Andrew Dahms <adahms> |
Component: | Documentation | Assignee: | Lucy Bopf <lbopf> |
Status: | CLOSED NOTABUG | QA Contact: | Andrew Dahms <adahms> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.5.0 | CC: | ecohen, gklein, lbopf, lsurette, rbalakri, yeylon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1169176 | Environment: | |
Last Closed: | 2014-12-16 06:49:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1021182, 1169176 | ||
Bug Blocks: | 1174605 | ||
Deadline: | 2014-12-18 |
Description
Andrew Dahms
2014-12-01 00:20:52 UTC
The engine-setup output that deals with the ISO domain also needs to be updated as part of this bug. The warning message was updated in the RHEV docs as part of 3.5 beta--"Local ISO domain ACL - note that the default will restrict access to 0.0.0.0/0.0.0.0 only, for security reasons [0.0.0.0/0.0.0.0(rw)]:"--but the default network was carried over from 3.4. (This probably happened because 0.0.0.0/0.0.0.0 at first appears to be placeholder, stripped of identifying information.) So, the message currently says that access is restricted to the entire network, for security reasons. The intended behaviour is that access is restricted to the Manager machine. All instances of 0.0.0.0/0.0.0.0 must be changed to either 'localhost' or <replaceable>manager-fqdn</replaceable>. In the RHCI docs, the warning message also needs to be added. This affects topic 41681. Edit: The configuration change described in Comment #1 was only implemented from 3.5. Since RHCI currently uses RHEV 3.4, the change is not yet required. I am testing the implementation of the local ISO domain on 3.4 to confirm that the 3.4 permissions allow the local ISO domain to be attached to a data center. As part of this bug, I will also update the output of engine-setup. This involves simply swapping the 'WebSocket Proxy' and 'ISO domain' steps. After some research and testing, I have concluded that the ISO domain created in 3.4 is indeed configured with world readable-writable permissions. As such, any host in the environment is able to mount the ISO domain, and it can be attached to a data center. This was verified using nfs-check.py from the host to access the ISO domain. (The ISO domain could not be attached to a data center in my particular testing environment, because my environment does not have a fully qualified domain name. One of the prerequisites for RHEV installation in RHCI is "the fully qualified domain name of the system on which the Manager is to be installed", so this will not be an issue for users.) I am closing this as NOTABUG. We will need to revisit this when RHCI supports RHEV 3.5. |