Bug 1221999

Summary: [rhev-h] iptables rule is getting added on every reboot to host.
Product: Red Hat Enterprise Virtualization Manager Reporter: Ulhas Surse <usurse>
Component: ovirt-nodeAssignee: Anatoly Litovsky <tlitovsk>
Status: CLOSED ERRATA QA Contact: Ying Cui <ycui>
Severity: medium Docs Contact:
Priority: high    
Version: 3.5.0CC: cshao, dougsland, ecohen, fdeutsch, gklein, huiwa, leiwang, lsurette, rbalakri, rbarry, tlitovsk, usurse, yaniwang, ycui
Target Milestone: ovirt-3.5.7Keywords: Reopened, ZStream
Target Release: 3.5.7   
Hardware: All   
OS: Linux   
Whiteboard: node
Fixed In Version: ovirt-node-3.2.3-30.el6 ovirt-node-3.2.3-30.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-12 20:36:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: ovirt-node-3.2.3-30.el6 ovirt-node-3.2.3-30.el7 Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ulhas Surse 2015-05-15 12:55:26 UTC 
Description of problem:
iptables is getting so many same rules in the file: 

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321


Version-Release number of selected component (if applicable):

Red Hat Enterprise Virtualization Hypervisor 6.6 (20150128.0.el6ev)

redhat-release-server-6Server-6.6.0.3.el6_6.x86_64
vdsm-4.14.18-6.el6ev.x86_64
iptables-1.4.7-14.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHEV-H  6.6 (20150128.0.el6ev)
2. Reboot the host
3. Every reboot appends the /etc/sysconfig/iptables

Actual results:
There is a append or rule in iptables.

Expected results:
There should not be any change in firewall rules while rebooting host.

Additional info:

On all hypervisors, customer is getting this ranging from 16 to 47 times on the INPUT chain.

Not sure, but could be below patch caused every reboot to append vdsm rule in iptables.

# cat  /etc/ovirt-plugins.d/vdsm-plugin.firewall 
#ports and protocols that vdsm needs opened
54321,tcp


Patch which may have caused this:

https://gerrit.ovirt.org/#/c/17843/
https://gerrit.ovirt.org/#/c/17843/2/src/ovirt/node/utils/firewall.py

Someone needs to check & confirm the findings.
Comment 9 Fabian Deutsch 2015-06-30 09:25:45 UTC 
Reopening this bug according to comment 8.
Comment 11 Fabian Deutsch 2015-10-07 14:28:07 UTC 
Ulhas, can you please provide the file /config/files ?

Maybe the iptables config got persisted, which could cause this behavior.
Comment 15 Sandro Bonazzola 2015-10-26 12:49:01 UTC 
this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015.
Please review this bug and if not a blocker, please postpone to a later release.
All bugs not postponed on GA release will be automatically re-targeted to

- 3.6.1 if severity >= high
- 4.0 if severity < high
Comment 18 Ying Cui 2015-12-09 03:33:25 UTC 
Fabian, see my comment 7, this bug only existed in RHEV-H 6, not impact RHEV-H 7, so if you plan to get this fix to be verified, we need RHEV-H 6 for 3.5.z build.
and flag need 3.5.z only.
Comment 22 Ying Cui 2015-12-29 06:30:42 UTC 
According to the bug description steps to verify this bug on the versions:
# rpm -qa ovirt-node 
ovirt-node-3.2.3-30.el6.noarch
# cat /etc/redhat-release 
Red Hat Enterprise Virtualization Hypervisor release 6.7 (20151218.1.el6ev)

Test steps:
1. Installed RHEV-H 6.7
2. Check 
# iptables --list | grep 54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 

3. Reboot the rhevh host
4. Check 
# iptables --list | grep 54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 

5. Reboot the rhevh host
6. Check
# iptables --list | grep 54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 

Result:
There did not append vdsm rule in iptables after every reboot RHEV-H.
Comment 24 errata-xmlrpc 2016-01-12 20:36:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0031.html