Bug 795061

Summary: [vdsm] bootstrap script setups up invalid iptables rules
Product: [Retired] oVirt Reporter: Andrew Cathrow <acathrow>
Component: ovirt-engine-coreAssignee: lpeer <lpeer>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, acathrow, bazulay, danken, dfediuck, iheim, rbalakri, ykaul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-13 08:12:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Cathrow 2012-02-19 02:02:17 UTC 
Tested in stable tree. 

vdsm-bootstrap-4.9.3.3-0.fc16
ovirt-engine-dbscripts-3.0.0_0001-1.6

The issue is in ./usr/share/ovirt-engine/dbscripts/upgrade/03_00_0390_add_firewall_rules_option.sql

Which is creating an incorrect iptables config file.

First problem is critical

We are setting
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT -reject-with icmp-host-prohibited"

-vs-

-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

That's invalid and the iptables service fails to start.

/var/log/messages shows
iptables: Applying firewall rules: iptables-restore v1.4.12: physdev: option "--physdev-is-bridged" cannot be inverted.

Second issue - we're opening the port for libvirt-tls to the outside - that port shouldn't be open externally.
Comment 1 Dan Kenigsberg 2012-02-19 09:22:54 UTC 
As mentioned above, default iptables is controlled by ovirt-engine. changing component.

Note that opening libvirt-tls is required to enable migration (PEER2PEER).
Comment 2 Andrew Cathrow 2012-02-19 23:47:56 UTC 
(In reply to comment #1)
> As mentioned above, default iptables is controlled by ovirt-engine. changing
> component.
> 
> Note that opening libvirt-tls is required to enable migration (PEER2PEER).

Does opening libvirt-tls also allow for remote libvirt management?
Comment 3 Dan Kenigsberg 2012-02-20 07:26:59 UTC 
(In reply to comment #2)
> 
> Does opening libvirt-tls also allow for remote libvirt management?

If you own a RHEV-M-certified private key, the answer is yes.
Comment 4 Doron Fediuck 2012-03-26 09:18:11 UTC 
Just adding that we got the initial config the engine
has today from vdsm as a simple default. 
We can update it if we get an updated policy.
Who can provide us the relevant configuration?
Comment 5 Itamar Heim 2012-12-13 08:12:22 UTC 
Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug.