Bug 1424782

Summary: Supply firewalld service configuration file
Product: [oVirt] ovirt-provider-ovn Reporter: Mor <mkalfon>
Component: providerAssignee: Marcin Mirecki <mmirecki>
Status: CLOSED CURRENTRELEASE QA Contact: Mor <mkalfon>
Severity: low Docs Contact:
Priority: medium    
Version: unspecifiedCC: bugs, danken, myakove, stirabos, ylavi
Target Milestone: ovirt-4.1.3Flags: rule-engine: ovirt-4.1+
ykaul: exception-
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-06 13:21:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 995362, 1446130    

Description Mor 2017-02-19 12:19:42 UTC 
Description of problem:
There's a missing backport for ovirt-provider-ovn package which includes the firewalld XML configuration file for RHV version 4.1.1.

In addition, please fix the current patch to set file permission mode: 644 (-rw-r--r--) instead of 755 (-rwxr-xr-x) on the XML file. This is what is set on other oVirt supplied XML files (ovirt-https.xml, ovirt-postgres.xml, etc.).

Version-Release number of selected component (if applicable):
Red Hat Virtualization Manager Version: 4.1.1.2-0.1.el7
Comment 1 Marcin Mirecki 2017-02-22 09:40:31 UTC 
Fixed with patches:

https://gerrit.ovirt.org/#/c/71585/
https://gerrit.ovirt.org/#/c/72690/
Comment 2 Marcin Mirecki 2017-03-02 12:23:17 UTC 
Fix available in:  ovirt-provider-ovn-1.0-6.el7ev
Comment 3 Mor 2017-03-06 13:31:27 UTC 
-rw-r--r--. 1 root root 216 Jan 23 12:47 ovirt-fence-kdump-listener.xml
-rw-r--r--. 1 root root 185 Jan 23 12:47 ovirt-https.xml
-rw-r--r--. 1 root root 182 Jan 23 12:47 ovirt-http.xml
-rw-r--r--. 1 root root 192 Jan 23 12:47 ovirt-imageio-proxy.xml
-rw-r--r--. 1 root root 572 Jan 23 12:47 ovirt-nfs.xml
-rw-r--r--. 1 root root 192 Jan 23 12:47 ovirt-postgres.xml
-rwxr-xr-x. 1 root root 344 Feb 27 15:20 ovirt-provider-ovn-central.xml
-rwxr-xr-x. 1 root root 181 Feb 27 15:20 ovirt-provider-ovn.xml
-rw-r--r--. 1 root root 207 Jan 23 12:47 ovirt-vmconsole-proxy.xml
-rw-r--r--. 1 root root 206 Jan 23 12:47 ovirt-websocket-proxy.xml

File permissions for ovirt-provider-ovn-*.xml files are not set with mode 644.
Comment 4 Marcin Mirecki 2017-04-27 09:30:05 UTC 
Included in 1.0-7 build.

https://errata.devel.redhat.com/advisory/28277
Comment 5 Mor 2017-05-01 06:18:13 UTC 
Marcin, we have 6442 TCP port in ovirt-provider-ovn-central.xml. It's supposed to be port 6642. Please fix.
Comment 6 Mor 2017-06-04 05:52:01 UTC 
Verified on:
ovirt-provider-ovn-1.1-2.20170531131557.git61bec06.el7.centos.noarch
ovirt-provider-ovn-driver-1.1-2.20170531131557.git61bec06.el7.centos.noarch

On host: 
1. Mo firewalld service file is supplied by ovirt-provider-ovn-driver. 
2. openvswitch-ovn-host suppiles service file with port UDP 6081.

On central: 
1. ovirt-provider-ovn supplies port TCP 9696. 
2. openvswitch-ovn-central supplies ports TCP: 6641 & 6642. 
3. File permissions on /usr/lib/firewalld/services/ovirt-provider-ovn.xml are 644.

NOTE: No OVN functionality tests were done, only checks that the relevant ports are open on the servers. Due to the fact that vdsm is currently do not support firewalld.