Bug 715296

Summary: Firewall ports open by default that shouldn't be
Product: Red Hat Enterprise Linux 6 Reporter: Mike Burns <mburns>
Component: ovirt-nodeAssignee: Mike Burns <mburns>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: apevec, avettath, cshao, gouyang, leiwang, mburns, moli, ovirt-maint, sgordon, ycui, yeylon
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-node-2.0.1-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 715288 Environment:
Last Closed: 2011-12-06 19:16:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Mike Burns 2011-06-22 13:41:45 UTC 
This problem exists in the 6.x versions as well

+++ This bug was initially created as a clone of Bug #715288 +++

Description of problem:

oVirt automatically open libvirt port 16509 in iptables which is not required by RHEV

Version-Release number of selected component (if applicable):
Red Hat Enterprise Virtualization Hypervisor 5.6 - 11.1

How reproducible:
Always

Steps to Reproduce:

1.

[root@rhev-h2 ~]# cat /etc/sysconfig/iptables
# oVirt automatically generated firewall configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# libvirt
-A INPUT -p tcp --dport 16509 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
  
Actual results:

[root@rhev-h2 ~]# iptables -L -n | grep 16509
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:16509 

Expected results:

ovirt do not automatically open 16509 port which is not required by RHEV.

Additional info:

Description of 16509 from http://libvirt.org/remote.html

--snip--
tcp
Unencrypted TCP/IP socket. Not recommended for production use, this is normally disabled, but an administrator can enable it for testing or use over a trusted network. The standard port is 16509. 
--/snip--

Our doc is not opening port 16509

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Installation_Guide/chap-Installation_Guide-Using_Red_Hat_Enterprise_Linux_Hosts.html#Preparing-RHEL-Hosts
Comment 1 Stephen Gordon 2011-06-22 23:07:57 UTC 
I have noticed that port 81 (anyterm) also seems to be open. I have the following rule in my /etc/sysconfig/iptables file:

# anyterm
-A INPUT -p tcp --dport 81 -j ACCEPT

The build I am using is Red Hat Enterprise Virtualization Hypervisor release 6.2 (0.1.hybrid1307679705).
Comment 4 Mike Burns 2011-07-27 18:47:55 UTC 
After upstream rebase, anyterm port is not open.
Comment 5 Mike Burns 2011-07-27 18:49:21 UTC 
Created attachment 515579 [details]
Patch

Testing:

Confirm that libvirt port is not open after installation
Comment 7 Mike Burns 2011-07-29 12:28:11 UTC 
(Copied from bug 715288 comment 1)

At least, I found the libvirt port is used by vm migration.

Thread-40634::ERROR::2011-07-29 04:25:49,358::vm::175::vm.Vm::(_recover)
vmId=`ae9b323d-fec1-4ad9-b877-54af58ab757e`::operation failed: Failed to
connect to remote libvirt URI (null)
Dummy-38061::DEBUG::2011-07-29
04:25:50,288::storage_mailbox::623::Storage.Misc.excCmd::(_checkForMail) 'dd
if=/rhev/data-center/06f64173-815f-4d86-b403-8715ab760984/mastersd/dom_md/inbox
iflag=direct,fullblock count=1 bs=1024000' (cwd None)
Dummy-38061::DEBUG::2011-07-29
04:25:50,389::storage_mailbox::623::Storage.Misc.excCmd::(_checkForMail)
SUCCESS: <err> = '1+0 records in\n1+0 records out\n1024000 bytes (1.0 MB)
copied, 0.0428696 s, 23.9 MB/s\n'; <rc> = 0
Thread-40634::ERROR::2011-07-29 04:25:50,411::vm::230::vm.Vm::(run)
vmId=`ae9b323d-fec1-4ad9-b877-54af58ab757e`::Traceback (most recent call last):
  File "/usr/share/vdsm/vm.py", line 222, in run
  File "/usr/share/vdsm/libvirtvm.py", line 305, in _startUnderlyingMigration
  File "/usr/share/vdsm/libvirtvm.py", line 327, in f
  File "/usr/share/vdsm/libvirtconnection.py", line 63, in wrapper
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 689, in
migrateToURI
libvirtError: operation failed: Failed to connect to remote libvirt URI (null)


After enable libvirt port 16514 in iptables, the error "Failed to connect to
remote libvirt URI (null)" disappears.

Test version: 
rhev-hypervisor-6.2-09.el6 
libvirt-0.9.2-1.el6.x86_64
Comment 8 Mike Burns 2011-07-29 12:47:20 UTC 
Created attachment 515884 [details]
Patch

Given previous comment, this patch reverts previous change to the firewall.
Comment 9 Mike Burns 2011-07-29 15:00:06 UTC 
Patch was nacked.  Need to enable libvirt ssl/tls port, not tcp port.
Comment 10 Mike Burns 2011-07-29 18:59:15 UTC 
Created attachment 515924 [details]
Patch

Obsoletes previous patch to add libvirt port to firewall
Comment 12 Guohua Ouyang 2011-08-05 02:18:27 UTC 
Verified on rhev-hypervisor-6.2-0.11.el6, libvirt tls port 16514 is enabled in iptables.

# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:54321 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:16514 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5989 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 5634:6166 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport dports 49152:49216 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:161 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
Comment 13 errata-xmlrpc 2011-12-06 19:16:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1783.html