Bug 1843882

Summary: network interface not added to public firewalld zone until host reboot
Product: Red Hat Enterprise Virtualization Manager Reporter: Juan Orti <jortialc>
Component: ovirt-engineAssignee: Dana <delfassy>
Status: CLOSED ERRATA QA Contact: Petr Matyáš <pmatyas>
Severity: medium Docs Contact:
Priority: high    
Version: 4.3.9CC: gdeolive, lleistne, mperina, mtessun, pmatyas
Target Milestone: ovirt-4.4.5Keywords: TestOnly, ZStream
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine-4.4.5 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-14 11:39:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1853906    
Bug Blocks:    

Description Juan Orti 2020-06-04 11:31:39 UTC 
Description of problem:
After changing a cluster firewall type to firewalld and reinstalling a host to apply the change, the network interfaces are not in the "public" firewalld zone until the host is rebooted.

One problem detected because of this is that the playbook to re-deploy hosted-engine fails in the task "Get active list of active firewalld zones".

I'm not sure if this have other functional or security related implications.

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.9.4-11.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have RHV 4.2 cluster with firewall type 'iptables'.
2. Upgrade it to RHV 4.3, raise CL to 4.3
3. Change firewall type to 'firewalld'
4. Put one host into maintenance
5. Host -> Installation -> Reinstall. "Automatically configure host firewall" checked.

Actual results:
After the host reinstallation, firewalld is configured, but the interfaces are not assigned to the public zone.

# firewall-cmd --get-active-zones

# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client cockpit vdsm libvirt glusterfs libvirt-tls snmp ovirt-imageio ovirt-vmconsole
  ports: 16514/tcp 22/tcp 6081/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


After rebooting the host, the interfaces are correctly assigned:

# firewall-cmd --get-active-zones
public
  interfaces: ovirtmgmt eth0

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ovirtmgmt eth0
  sources: 
  services: ssh dhcpv6-client cockpit vdsm libvirt glusterfs libvirt-tls snmp ovirt-imageio ovirt-vmconsole
  ports: 16514/tcp 22/tcp 6081/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Expected results:
The interfaces added to the zone in the runtime configuration.

Additional info:
Comment 4 Guilherme Santos 2021-01-31 17:42:00 UTC 
Hi Dana, is this guy fixed? There is not patch linked.
Comment 5 Dana 2021-02-01 07:21:05 UTC 
Hi, yes
The bug that this issue was depending on was fixed, and there are no further changes that needs to be done
Comment 7 Petr Matyáš 2021-02-12 12:59:28 UTC 
Tested on ovirt-engine-4.4.5.5-0.13.el8ev.noarch

Option to reboot a host after install/reinstall was added and is currently checked by default.
Comment 13 errata-xmlrpc 2021-04-14 11:39:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1169