Bug 199773

Summary: Redhat Cluster Suite port blocked by default firewall rules
Product: [Fedora] Fedora Reporter: Steven Dake <sdake>
Component: system-config-securitylevelAssignee: Chris Lumens <clumens>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: ccaulfie
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-24 20:58:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steven Dake 2006-07-21 21:04:04 UTC 
Description of problem:
RHCS port 5405 is blocked by the default configuration for the firewall.

Version-Release number of selected component (if applicable):
latest

How reproducible:
100%.


Steps to Reproduce:
1. Turn on Firewall.
2. yum install openais
3. vi /etc/ais/openais.conf and set your bindnetaddr to an IP address
  
Actual results:
openais continues to state "Entering gather state" over and over.  This is
because it cannot receive or send packets on its defined 5405 UDP port.

Expected results:
[root@shih exec]# ./aisexec
[root@shih exec]# Jul 21 14:11:36.635254 [MAIN ] AIS Executive Service RELEASE
'trunk'
Jul 21 14:11:36.635400 [MAIN ] Copyright (C) 2002-2006 MontaVista Software, Inc
and contributors.
Jul 21 14:11:36.635425 [MAIN ] Copyright (C) 2006 Red Hat, Inc.
Jul 21 14:11:36.635445 [MAIN ] openais component openais_cpg loaded.
Jul 21 14:11:36.635465 [MAIN ] Registering service handler 'openais cluster
closed process group service v1.01'
Jul 21 14:11:36.635486 [MAIN ] openais component openais_cfg loaded.
Jul 21 14:11:36.635506 [MAIN ] Registering service handler 'openais
configuration service'
Jul 21 14:11:36.635530 [MAIN ] openais component openais_msg loaded.
Jul 21 14:11:36.635550 [MAIN ] Registering service handler 'openais message
service B.01.01'
Jul 21 14:11:36.635571 [MAIN ] openais component openais_lck loaded.
Jul 21 14:11:36.635591 [MAIN ] Registering service handler 'openais distributed
locking service B.01.01'
Jul 21 14:11:36.635611 [MAIN ] openais component openais_evt loaded.
Jul 21 14:11:36.635631 [MAIN ] Registering service handler 'openais event
service B.01.01'
Jul 21 14:11:36.635652 [MAIN ] openais component openais_ckpt loaded.
Jul 21 14:11:36.635672 [MAIN ] Registering service handler 'openais checkpoint
service B.01.01'
Jul 21 14:11:36.635694 [MAIN ] openais component openais_amf loaded.
Jul 21 14:11:36.635714 [MAIN ] Registering service handler 'openais availability
management framework B.01.01'
Jul 21 14:11:36.635734 [MAIN ] openais component openais_clm loaded.
Jul 21 14:11:36.635754 [MAIN ] Registering service handler 'openais cluster
membership service B.01.01'
Jul 21 14:11:36.635774 [MAIN ] openais component openais_evs loaded.
Jul 21 14:11:36.635795 [MAIN ] Registering service handler 'openais extended
virtual synchrony service'
Jul 21 14:11:36.637676 [TOTEM] Token Timeout (1000 ms) retransmit timeout (238 ms)
Jul 21 14:11:36.637781 [TOTEM] token hold (180 ms) retransmits before loss (4
retrans)
Jul 21 14:11:36.637804 [TOTEM] join (100 ms) consensus (200 ms) merge (200 ms)
Jul 21 14:11:36.637825 [TOTEM] downcheck (1000000 ms) fail to recv const (50 msgs)
Jul 21 14:11:36.637847 [TOTEM] seqno unchanged const (30 rotations) Maximum
network MTU 1500
Jul 21 14:11:36.637867 [TOTEM] window size per rotation (50 messages) maximum
messages per rotation (17 messages)
Jul 21 14:11:36.637889 [TOTEM] send threads (0 threads)
Jul 21 14:11:36.637909 [TOTEM] RRP token expired timeout (238 ms)
Jul 21 14:11:36.637930 [TOTEM] RRP token problem counter (2000 ms)
Jul 21 14:11:36.637949 [TOTEM] RRP threshold (10 problem count)
Jul 21 14:11:36.637968 [TOTEM] RRP mode set to none.
Jul 21 14:11:36.637988 [TOTEM] heartbeat_failures_allowed (0)
Jul 21 14:11:36.638007 [TOTEM] max_network_delay (50 ms)
Jul 21 14:11:36.638047 [TOTEM] HeartBeat is Disabled. To enable set
heartbeat_failures_allowed > 0
Jul 21 14:11:36.638298 [TOTEM] Receive multicast socket recv buffer size (262142
bytes).
Jul 21 14:11:36.638324 [TOTEM] Transmit multicast socket send buffer size
(262142 bytes).
Jul 21 14:11:36.638642 [TOTEM] The network interface [192.168.2.10] is now up.
Jul 21 14:11:36.638684 [TOTEM] Created or loaded sequence id
1125934283361995.192.168.2.10 for this ring.
Jul 21 14:11:36.638775 [TOTEM] entering GATHER state.
Jul 21 14:11:36.638985 [SERV ] Initialising service handler 'openais extended
virtual synchrony service'
Jul 21 14:11:36.639012 [SERV ] Initialising service handler 'openais cluster
membership service B.01.01'
Jul 21 14:11:36.639136 [SERV ] Initialising service handler 'openais
availability management framework B.01.01'
Jul 21 14:11:36.639173 [SERV ] Initialising service handler 'openais checkpoint
service B.01.01'
Jul 21 14:11:36.639200 [SERV ] Initialising service handler 'openais event
service B.01.01'
Jul 21 14:11:36.639233 [SERV ] Initialising service handler 'openais distributed
locking service B.01.01'
Jul 21 14:11:36.639257 [SERV ] Initialising service handler 'openais message
service B.01.01'
Jul 21 14:11:36.639281 [SERV ] Initialising service handler 'openais
configuration service'
Jul 21 14:11:36.639305 [SERV ] Initialising service handler 'openais cluster
closed process group service v1.01'
Jul 21 14:11:36.639333 [SYNC ] Not using a virtual synchrony filter.
Jul 21 14:11:36.639369 [MAIN ] AIS Executive Service: started and ready to
provide service.
Jul 21 14:11:36.639428 [TOTEM] Creating commit token because I am the rep.
Jul 21 14:11:36.639463 [TOTEM] Saving state aru 0 high seq received 0
Jul 21 14:11:36.639515 [TOTEM] Storing new sequence id for ring 16781007
Jul 21 14:11:36.639550 [TOTEM] entering COMMIT state.
Jul 21 14:11:36.639589 [TOTEM] entering RECOVERY state.
Jul 21 14:11:36.639647 [TOTEM] position [0] member 192.168.2.10:
Jul 21 14:11:36.639669 [TOTEM] previous ring seq 1125934283361995 rep 192.168.2.10
Jul 21 14:11:36.639690 [TOTEM] aru 0 high delivered 0 received flag 0
Jul 21 14:11:36.639710 [TOTEM] Did not need to originate any messages in recovery.
Jul 21 14:11:36.639743 [TOTEM] Sending initial ORF token
Jul 21 14:11:36.639954 [CLM  ] CLM CONFIGURATION CHANGE
Jul 21 14:11:36.639986 [CLM  ] New Configuration:
Jul 21 14:11:36.640006 [CLM  ] Members Left:
Jul 21 14:11:36.640026 [CLM  ] Members Joined:
Jul 21 14:11:36.640055 [amf.c:0425] amf_confchg_fn : type = 1,mnum = 0,jnum =
0,lnum = 0
Jul 21 14:11:36.640097 [SYNC ] This node is within the primary component and
will provide service.
Jul 21 14:11:36.640125 [CLM  ] CLM CONFIGURATION CHANGE
Jul 21 14:11:36.640145 [CLM  ] New Configuration:
Jul 21 14:11:36.640189 [CLM  ]  r(0) ip(192.168.2.10)
Jul 21 14:11:36.640211 [CLM  ] Members Left:
Jul 21 14:11:36.640231 [CLM  ] Members Joined:
Jul 21 14:11:36.640254 [CLM  ]  r(0) ip(192.168.2.10)
Jul 21 14:11:36.640276 [amf.c:0425] amf_confchg_fn : type = 0,mnum = 1,jnum =
1,lnum = 0
Jul 21 14:11:36.640300 [SYNC ] This node is within the primary component and
will provide service.
Jul 21 14:11:36.641206 [TOTEM] entering OPERATIONAL state.
Jul 21 14:11:36.643042 [SYNC ] Synchronization barrier completed
Jul 21 14:11:36.643097 [SYNC ] Synchronization actions starting for (openais
cluster membership service B.01.01)
Jul 21 14:11:36.643177 [CLM  ] got nodejoin message 192.168.2.10
Jul 21 14:11:36.643239 [SYNC ] Synchronization barrier completed
Jul 21 14:11:36.643261 [SYNC ] Committing synchronization for (openais cluster
membership service B.01.01)
Jul 21 14:11:36.643282 [SYNC ] Synchronization actions starting for (openais
availability management framework B.01.01)
Jul 21 14:11:36.643306 [amf.c:0348] >amf_sync_init:
Jul 21 14:11:36.643332 [amf.c:0353] >amf_sync_process:
Jul 21 14:11:36.643406 [SYNC ] Synchronization barrier completed
Jul 21 14:11:36.643428 [amf.c:0364] >amf_sync_activate:
Jul 21 14:11:36.643448 [SYNC ] Committing synchronization for (openais
availability management framework B.01.01)
Jul 21 14:11:36.643469 [SYNC ] Synchronization actions starting for (openais
checkpoint service B.01.01)
Jul 21 14:11:36.643546 [SYNC ] Synchronization barrier completed
Jul 21 14:11:36.643568 [SYNC ] Committing synchronization for (openais
checkpoint service B.01.01)
Jul 21 14:11:36.643589 [SYNC ] Synchronization actions starting for (openais
event service B.01.01)
Jul 21 14:11:36.643765 [SYNC ] Synchronization barrier completed
Jul 21 14:11:36.643787 [SYNC ] Committing synchronization for (openais event
service B.01.01)
Jul 21 14:11:36.643809 [SYNC ] Synchronization actions starting for (openais
cluster closed process group service v1.01)
Jul 21 14:11:36.643887 [SYNC ] Synchronization barrier completed
Jul 21 14:11:36.643909 [SYNC ] Committing synchronization for (openais cluster
closed process group service v1.01)



Additional info:

Ideally the sysconfig tool would have an option for "RHCS port" like it does for
WWW, HTTP and other services.  I took a stab at trying to add this, but couldn't
get it to work because I don't know how iptables function.

Regards
-steve
Comment 1 Paul Nasrat 2006-07-22 14:14:19 UTC 
You should be able to add an arbitrary port.
Comment 2 Chris Lumens 2006-07-24 20:58:03 UTC 
The best way to do this is to just use the "other ports" dialog.  There are a
whole bunch of programs that don't have their own checkbox in the list, and
that's sort of on purpose.  s-c-securitylevel is supposed to be a fairly simple
program that someone can use to turn on and off the most common things.  In the
future, we need to move towards a system where programs can make requests for
firewall holes automatically, so there's not a separate program the user needs
to deal with.