Bug 988849

Summary: edit-node does not handle firewall rules
Product: [Retired] oVirt Reporter: Mike Burns <mburns>
Component: ovirt-nodeAssignee: Joey Boggs <jboggs>
Status: CLOSED CURRENTRELEASE QA Contact: bugs <bugs>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acathrow, alonbl, asegurap, cshao, gouyang, hadong, jboggs, leiwang, mgoldboi, ovirt-bugs, ovirt-maint, talayan, ycui, yeylon
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: node
Fixed In Version: ovirt-3.4.0-alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-31 12:32:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 918494    

Description Mike Burns 2013-07-26 14:47:03 UTC 
Description of problem:
plugins can install a file to /etc/ovirt-plugins.d containing a list of ports and protocols to open like this:

54321,tcp

These are not being added to the firewall configuration currently

Version-Release number of selected component (if applicable):
node-3.0.0

How reproducible:
always
Comment 1 Mike Burns 2013-07-26 14:48:25 UTC 
Note:  need to ignore comments in the file (lines prefixed with #)
Need to handle firewalld vs iptables
Comment 2 Alon Bar-Lev 2013-08-06 22:42:33 UTC 
ovirt-host-deploy sets iptables rules specified by engine.

We are not ready for firewalld at host side.
Comment 3 Alon Bar-Lev 2013-08-06 22:57:28 UTC 
(In reply to Alon Bar-Lev from comment #2)
> ovirt-host-deploy sets iptables rules specified by engine.
> 
> We are not ready for firewalld at host side.

Need to correct... ovirt-engine does not support firewalld but only iptables, and this is what it sends to ovirt-host-deploy (otopi).

otopi supports firewalld... but engine should use that feature.
Comment 4 Joey Boggs 2013-08-08 17:49:42 UTC 
http://gerrit.ovirt.org/17843

handles both iptables and firewalld
Comment 5 Alon Bar-Lev 2013-08-08 18:05:34 UTC 
I am unsure how this change solves the problem.

As I wrote in comment#3, ovirt-engine does not support firewalld, it will configure machine using iptables.

In future, when ovirt-engine will support firewalld, it will configure firewalld during host-deploy, the plugin will be a simple registration notification, nothing more.
Comment 6 Joey Boggs 2013-08-08 20:24:54 UTC 
ovirt-node had firewalld support since F18, what was being done in F18 timeframe with ovirt-host-deploy to make it work?

I can open the ports that ovirt-host-deploy would do in the base image but the patch will work for other plugins that don't expect to manage firewalld/iptables.

Are you asking to revert back to just iptables or can we meet in the middle and open necessary ports?
Comment 7 Alon Bar-Lev 2013-08-08 20:33:03 UTC 
(In reply to Joey Boggs from comment #6)
> ovirt-node had firewalld support since F18, what was being done in F18
> timeframe with ovirt-host-deploy to make it work?

There was no RFE for ovirt-engine as far as I know to support firewalld. The fact that ovirt-node reverted this as standalone component without synchronization is not correct.

> I can open the ports that ovirt-host-deploy would do in the base image but
> the patch will work for other plugins that don't expect to manage
> firewalld/iptables.

The ports to be opened are set by the engine and not by the deploy process. If we want to have it set by the node, we should modify the engine not to push iptables rules into the node.

But this will break 3.2 compatibility.

> Are you asking to revert back to just iptables or can we meet in the middle
> and open necessary ports?

I think we should revert back and have something working, then analyze the need of firewall throughout the project and provide a complete solution.
Comment 8 Antoni Segura Puimedon 2013-08-08 20:36:42 UTC 
I would have the vdsm plugin or ovirt-host deploy include:

systemctl mask firewalld
systemctl stop firewalld
systemctl enable iptables.service
systemctl start iptables.service
Comment 9 Joey Boggs 2013-08-08 20:52:13 UTC 
I'm going to just revert the ovirt-node side since we will end up not opening the ports configured with firewalld ssh,libvirt, etc. So no work to be done within the vdsm-plugin unless its a safeguard.
Comment 10 Joey Boggs 2013-08-09 14:00:42 UTC 
patch updated
Comment 11 cshao 2014-03-03 07:21:45 UTC 
Test version:
ovirt-node-iso-3.0.4-1.0.201401291204.vdsm34beta3.el6.iso
ovirt-node-3.0.4-1.0.el6.noarch

# cat /etc/ovirt-plugins.d/vdsm-plugin.firewall 
#ports and protocols that vdsm needs opened
54321,tcp

# iptables -L | grep 54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 

The file /etc/ovirt-plugins.d/vdsm-plugin.firewall can list ports and protocols that vdsm needs opened. so the bug is fixed, change bug status to VERIFIED.
Comment 12 Sandro Bonazzola 2014-03-31 12:32:18 UTC 
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released