Bug 1350208

Summary: iptables should be configured automatically for ovirt-imageio-daemon
Product: [oVirt] ovirt-engine Reporter: Amit Aviram <aaviram>
Component: Host-DeployAssignee: Amit Aviram <aaviram>
Status: CLOSED CURRENTRELEASE QA Contact: Natalie Gavrielov <ngavrilo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: futureCC: aaviram, acanan, amureini, bugs, gklein, tnisan
Target Milestone: ovirt-4.0.1Flags: rule-engine: ovirt-4.0.z+
rule-engine: planning_ack+
tnisan: devel_ack+
acanan: testing_ack+
Target Release: 4.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-04 13:31:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Storage RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amit Aviram 2016-06-26 13:05:46 UTC 
Description of problem:
When adding a host to ovirt, iptables is not configured to accept requests on ovirt-imageio-daemon's port- which causes manual actions to be performed in the host in order to upload disk images.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. add a host
2. try to upload a disk

Actual results:
the disk can't be uploaded, as there's a connection error in the proxy. only after allowing requests for image daemon's port, setup can be performed.

Expected results:
No further actions required for the user in order to perform an upload.
Comment 1 Natalie Gavrielov 2016-07-26 12:12:00 UTC 
Hi Amit,

This means that during the host's installation iptables is changed - what are these changes exactly?
Also, when removed.. does it also remove the changed configuration?
Comment 2 Amit Aviram 2016-07-26 12:43:23 UTC 
The changes are to accept incoming requests for port 54322, you can use 
"iptables -L" to see the list of accepted and rejected ports for incoming requests.

If you see an ACCEPT record for tcp with port 54322, then the rule is added as it should.
Comment 3 Natalie Gavrielov 2016-07-26 13:12:27 UTC 
Verified,
vdsm-4.18.8-1.el7ev.x86_64
ovirt-imageio-daemon-0.3.0-0.el7ev.noarch
rhevm-4.0.2-0.1.rc.el7ev.noarch
ovirt-imageio-proxy-0.3.0-0.el7ev.noarch
ovirt-imageio-common-0.3.0-0.el7ev.noarch

Scenario tested:
1. Put host to maintenance. 
2. Remove vdsm, ovirt-imageio-daemon, ovirt-imageio-common.
3. Remove rule that accepts tcp with port 54322:
   iptables -L INPUT --line-numbers
   iptables -D INPUT <relevant_line_number>
4. Reinstall host using engine

Result: the following rule appears when issuing "iptables -L INPUT" 
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:54322