Bug 1487878

Summary: Ovirt-imageIO missing firewalld rule
Product: [oVirt] ovirt-node Reporter: Bradley <bhieber>
Component: GeneralAssignee: Yuval Turgeman <yturgema>
Status: CLOSED CURRENTRELEASE QA Contact: dguo
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1CC: bhieber, bugs, cshao, danken, ylavi
Target Milestone: ovirt-4.1.7Keywords: TestOnly
Target Release: 4.1Flags: rule-engine: ovirt-4.1+
dguo: testing_ack+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-13 12:24:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bradley 2017-09-02 23:17:23 UTC
Description of problem: Ovirt-imageIO-daemon is missing 54322 open port rule. This causes a failure when trying to upload images. 


Version-Release number of selected component (if applicable): Ovirt-Node-ng-4.1.5


How reproducible: Fresh install of Ovirt Node NG


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Edit VDSM XML in /usr/lib/firewalld/services/vdsm.xml to open the imageIO daemon. Workaround is to run "firewall-cmd --zone=public --permanent --add-port=54322/tcp; firewall-cmd --reload" on each node in production.

Comment 1 Dan Kenigsberg 2017-09-03 19:39:03 UTC
Actually, https://github.com/firewalld/firewalld/blob/master/config/services/ovirt-imageio.xml should provide this port independently.

This should be already available in CentOS-7.4's firewalld. With which one have you been testing?

Comment 2 Ryan Barry 2017-09-03 19:47:46 UTC
The question is whether this is in the node preset, and whether we have a 7.4 node yet. I'm on PTO and can't check until Tuesday. Yuval, can you look at this?

Comment 3 Bradley 2017-09-03 20:07:23 UTC
Node is running 7.3.1611 from the Node-NG 4.1.5 image that was published.

Comment 4 dguo 2017-10-17 02:50:03 UTC
Checked on rhvh-4.1-0.20171012.0+1

Test versions:
[root@dhcp-8-109 ~]# imgbase w
You are on rhvh-4.1-0.20171012.0+1

Test steps:
1. Fresh install rhvh

2. Check ovirt-imageio XML under firewalld
[root@dhcp-8-109 ~]# cat /usr/lib/firewalld/services/ovirt-imageio.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>oVirt Image I/O</short>
  <description>oVirt Image I/O simplifies the workflow of introducing new oVirt images into the oVirt environment.</description>
  <port protocol="tcp" port="54322"/>
</service>

3. After registering to engine, check 54322 port is open 
[root@dhcp-8-109 ~]# iptables -L -x -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:54321
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:54322
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:111
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:111
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:161
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9090
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:16514
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 2223
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 5900:6923
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 49152:49216
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:6081
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match ! --physdev-is-bridged reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:6081

4. Upload image to the storage domain, upload can be successfully

Thus, this bug can be verified on rhvh-4.1-0.20171012.0