Bug 1255425

Summary:	Automatically configured firewall denies access of VMs to network
Product:	Red Hat Enterprise Virtualization Manager	Reporter:	movciari
Component:	ovirt-hosted-engine-setup	Assignee:	Sandro Bonazzola <sbonazzo>
Status:	CLOSED INSUFFICIENT_DATA	QA Contact:	Artyom <alukiano>
Severity:	high	Docs Contact:
Priority:	high
Version:	3.5.4	CC:	amureini, ecohen, gklein, istein, lsurette, movciari, stirabos, ylavi
Target Milestone:	---	Keywords:	Regression, Unconfirmed
Target Release:	3.6.0	Flags:	stirabos: needinfo-
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	integration
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-09-08 11:12:50 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Integration	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description movciari 2015-08-20 14:29:40 UTC

Description of problem:
On a new hosted-engine environment with firewall automatically configured by hosted-engine setup script, VMs don't have network access.
Network works correctly on hosted-engine VM and hosts have access to network, but default auto-generated iptables on hosted-engine hosts denied network access for any new VM I created in webadmin.

Version-Release number of selected component (if applicable):
ovirt-hosted-engine-setup-1.2.5.2-1.el7ev.noarch

How reproducible:
always

Steps to Reproduce:
1. Install hosted-engine on RHEL7.2, let the setup script configure firewall automatically
2. Create a new VM, try to install it from pxe or do anything else that requires network

Actual results:
VM can't access network

Expected results:
VM should be able to access network

Additional info:
iptables -F solved the problem, so I'm sure it's bad iptables configuration

Comment 1 Simone Tiraboschi 2015-08-28 13:21:41 UTC

I wasn't able to reproduce with hosted-engine from oVirt 3.6 Third Beta.

On my host I got this IPTables configuration:
[root@c7120150824he35u36 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:54321
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sunrpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:16514
ACCEPT     tcp  --  anywhere             anywhere             multiport dports rfb:6923
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 49152:49216
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             PHYSDEV match ! --physdev-is-bridged reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@c7120150824he35u36 ~]# 

Could you please attach the problematic one?

Comment 2 Sandro Bonazzola 2015-09-04 14:47:38 UTC

Reducing severity and priority since we can't reproduce.
movciari please provide needed info in order to reproduce.

Comment 3 Ilanit Stein 2015-09-08 06:55:45 UTC

Put qe_test_coverage since this bug flow is tested normally in the RHEV QE automation env.

Tested by alukiano, and didn't have such problem, on latest HE build for 3.6,
on august 30 2015.

Comment 4 Yaniv Lavi 2015-09-08 11:12:50 UTC

Michal, please reopen if you provide the needed info.