Bug 1528284

Summary: Fail host deploy process if any firewalld service isn't found, by default open all predefined firewalld services for specific cluster
Product: [oVirt] ovirt-engine Reporter: Ondra Machacek <omachace>
Component: Host-DeployAssignee: Ondra Machacek <omachace>
Status: CLOSED CURRENTRELEASE QA Contact: Pavol Brilla <pbrilla>
Severity: high Docs Contact:
Priority: unspecified    
Version: futureCC: bugs, lsvaty, lveyde, mperina
Target Milestone: ovirt-4.2.1Flags: rule-engine: ovirt-4.2+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.2.1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-12 11:54:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondra Machacek 2017-12-21 12:51:59 UTC 
By default we should open all ports for the specific cluster (gluster/virt) and if any predefined service isn't found ( is not provided by firewalld or specific package), we should fail the host deploy process.

To test:
Check that all relevant services for cluster have opened port - enabled firewalld service. Check that for gluster/virt cluster.
Comment 1 Pavol Brilla 2018-01-29 12:45:51 UTC 
Failing on missing service 'cockpit' - gracefull error - verified

2018-01-29 13:42:24,020 p=7576 u=ovirt |  TASK [ovirt-host-deploy-firewalld : Enable firewalld rules] ********************
2018-01-29 13:42:25,528 p=7576 u=ovirt |  failed: [10.37.137.139] (item={u'service': u'cockpit'}) => {
    "changed": false, 
    "item": {
        "service": "cockpit"
    }
}

MSG:

ERROR: Exception caught: org.fedoraproject.FirewallD1.Exception: INVALID_SERVICE: 'cockpit' not among existing services Permanent and Non-Permanent(immediate) operation, Services are defined by port/tcp relationship and named as they are in /etc/services (on most systems)
Comment 2 Pavol Brilla 2018-01-29 14:13:15 UTC 
virt:
# firewall-cmd --zone=public --list-all
...
  services: dhcpv6-client ssh cockpit libvirt-tls snmp vdsm ovirt-imageio ovirt-vmconsole
  ports: 22/tcp 6081/udp
...

gluster:
# firewall-cmd --zone=public --list-all
...
  services: ssh dhcpv6-client cockpit libvirt-tls snmp vdsm ovirt-imageio ovirt-vmconsole ctdb glusterfs nfs nrpe ovirt-storageconsole rpc-bind samba
  ports: 22/tcp 6081/udp 8080/tcp 963/udp 965/tcp
...
Comment 3 Sandro Bonazzola 2018-02-12 11:54:59 UTC 
This bugzilla is included in oVirt 4.2.1 release, published on Feb 12th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.1 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.