Bug 1169178

Summary: [RHCI] [Install] The permissions required for the internal ISO domain must be clarified
Product: Red Hat Enterprise Virtualization Manager Reporter: Andrew Dahms <adahms>
Component: DocumentationAssignee: Lucy Bopf <lbopf>
Status: CLOSED NOTABUG QA Contact: Andrew Dahms <adahms>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.5.0CC: ecohen, gklein, lbopf, lsurette, rbalakri, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1169176 Environment:
Last Closed: 2014-12-16 06:49:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1021182, 1169176    
Bug Blocks: 1174605    
Deadline: 2014-12-18   

Description Andrew Dahms 2014-12-01 00:20:52 UTC 
+++ This bug was initially created as a clone of Bug #1169176 +++

Guides: cs22957, cs22967

By default, access to the internal ISO domain created when you run the engine-setup command is restricted to the machine where the Manager is hosted. This prevents the ISO domain from being mounted on a host in the environment, meaning that even though the ISO domain itself is created correctly, all attempts to attach it to a data center fail.

The permissions that users must configure for the ISO domain as part of running the engine-setup command must be clarified. In particular, is there a 'recommended' setting such as restricting access to only the subnet or network where the Manager and hosts are located?

This bug affects 41681.
Comment 1 Lucy Bopf 2014-12-09 07:11:58 UTC 
The engine-setup output that deals with the ISO domain also needs to be updated as part of this bug.

The warning message was updated in the RHEV docs as part of 3.5 beta--"Local ISO domain ACL - note that the default will restrict access to 0.0.0.0/0.0.0.0 only, for security reasons [0.0.0.0/0.0.0.0(rw)]:"--but the default network was carried over from 3.4. (This probably happened because 0.0.0.0/0.0.0.0 at first appears to be placeholder, stripped of identifying information.) So, the message currently says that access is restricted to the entire network, for security reasons. The intended behaviour is that access is restricted to the Manager machine. All instances of 0.0.0.0/0.0.0.0 must be changed to either 'localhost' or <replaceable>manager-fqdn</replaceable>. In the RHCI docs, the warning message also needs to be added.

This affects topic 41681.
Comment 2 Lucy Bopf 2014-12-16 05:14:33 UTC 
Edit: The configuration change described in Comment #1 was only implemented from 3.5. Since RHCI currently uses RHEV 3.4, the change is not yet required. I am testing the implementation of the local ISO domain on 3.4 to confirm that the 3.4 permissions allow the local ISO domain to be attached to a data center.

As part of this bug, I will also update the output of engine-setup. This involves simply swapping the 'WebSocket Proxy' and 'ISO domain' steps.
Comment 3 Lucy Bopf 2014-12-16 06:49:59 UTC 
After some research and testing, I have concluded that the ISO domain created in 3.4 is indeed configured with world readable-writable permissions. As such, any host in the environment is able to mount the ISO domain, and it can be attached to a data center. This was verified using nfs-check.py from the host to access the ISO domain. (The ISO domain could not be attached to a data center in my particular testing environment, because my environment does not have a fully qualified domain name. One of the prerequisites for RHEV installation in RHCI is "the fully qualified domain name of the system on which the Manager is to be installed", so this will not be an issue for users.)

I am closing this as NOTABUG. We will need to revisit this when RHCI supports RHEV 3.5.