Bug 1018948 - Cannot access Host with sshd alternative port after deployment.
Cannot access Host with sshd alternative port after deployment.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
3.3.0
All Linux
medium Severity high
: ---
: 3.3.0
Assigned To: Alon Bar-Lev
Tareq Alayan
infra
: Triaged
Depends On:
Blocks: GSS_RHEV_33_BETA 3.3snap2
  Show dependency treegraph
 
Reported: 2013-10-14 14:53 EDT by Amador Pahim
Modified: 2016-02-10 14:37 EST (History)
11 users (show)

See Also:
Fixed In Version: is21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
logs (618.15 KB, application/x-gzip)
2013-10-30 09:50 EDT, Tareq Alayan
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 20174 None None None Never
oVirt gerrit 20309 None None None Never

  None (edit)
Description Amador Pahim 2013-10-14 14:53:00 EDT
Description of problem:
RHEV 3.3 now allows user to inform Host SSH port for host deployment:

Hosts / New / General / SSH Port

Regardless the port informed, if "Automatically configure host firewall" is checked, Host firewall will be configured to allow access to port 22. As consequence, Host cannot be accessed through ssh after deployment.

Version-Release number of selected component (if applicable):

RHEVM:
rhevm-3.3.0-0.25.beta1.el6ev.noarch
ovirt-host-deploy-1.1.1-1.el6ev.noarch

HYPERVISOR:
vdsm-4.13.0-0.2.beta1.el6ev.x86_64

How reproducible:
100%

Steps to Reproduce:
- Change sshd port from 22 to something else. e.g. 2222.
- Add Host to RHEV. Inform ssh port and keep "Automatically configure host firewall" checked.
- After deployment, try to ssh Host using port 2222.

Actual results:
Cannot access Host.

Expected results:
ovirt-host-deploy should be able to configure Host firewall to accept connection in the ssh port informed in "SSH Port" field ("New Host" Admin Portal dialog).
Comment 1 Alon Bar-Lev 2013-10-14 15:35:18 EDT
Up until now I thought that people that change the default ssh port know what they are doing, and address dynamic firewall configuration when supporting firewalld.

But you are right it should be addressed.
Comment 3 Alon Bar-Lev 2013-10-25 16:02:21 EDT
 Shai Revivo 2013-10-25 15:58:49 EDT
Severity: medium → high

Why high? this is not common scenario at all.
Comment 4 Shai Revivo 2013-10-25 16:07:33 EDT
Because if a customer would like to use it he can't ... even if not common.
other than that i would like this fix to be verified instead of closed upstream, this is the main reason for pushing it to high.
(In reply to Alon Bar-Lev from comment #3)
>  Shai Revivo 2013-10-25 15:58:49 EDT
> Severity: medium → high
> 
> Why high? this is not common scenario at all.
Comment 5 Alon Bar-Lev 2013-10-30 08:22:25 EDT
 Tareq Alayan 2013-10-30 08:20:46 EDT
Status: ON_QA → ASSIGNED
Verified: FailedQA

Without logs or analysis, it is not failing.
Comment 6 Tareq Alayan 2013-10-30 08:25:04 EDT
tested on rhevm-3.3.0-0.28.beta1.el6ev.noarch


- Changed default port to 22222
- Allow port on iptables
- ssh host -p 22222 -lroot -- works
- added host to engine via port 22222 -- works
- try to ssh host via port 22222 didn't work


note that  is20.1 contains : ovirt-host-deploy-1.1.1-1.el6ev.noarch
Comment 7 Alon Bar-Lev 2013-10-30 09:03:57 EDT
engine logs, host-deploy logs, content of /etc/sysconfig/iptables, events from /var/log/messages, /var/log/secure.

"didn't work" accepted only from end-users.
Comment 8 Tareq Alayan 2013-10-30 09:50:44 EDT
Created attachment 817461 [details]
logs
Comment 9 Tareq Alayan 2013-10-30 09:51:42 EDT
i think that the fix is not in is20.1 
is20.1 contains : ovirt-host-deploy-1.1.1-1.el6ev.noarch
Comment 10 Alon Bar-Lev 2013-10-30 10:04:34 EDT
Looking at: talayan-vdc02.scl.lab.tlv.redhat.com

PGPASSWORD=2923jdpY psql -U engine -d engine -h localhost -c "select * from vdc_options where option_name='IPTablesConfig'"

Produces output that does not match[1].

The database script[2] does not match[1].

So the robot is wrong:
---
rhev-integ@redhat.com 2013-10-24 14:21:29 EDT
Status: MODIFIED → ON_QA
Fixed In Version: is20
---

This will be included in is21 I guess.

[1] http://gerrit.ovirt.org/20309
[2] /usr/share/ovirt-engine/dbscripts/upgrade/pre_upgrade/0000_config.sql
Comment 11 Tareq Alayan 2013-10-31 05:50:26 EDT
Verified.
tested on rhevm-3.3.0-0.30.beta1.el6ev.noarch

- Changed default port to 22222
- Allow port on iptables
- ssh host -p 22222 -lroot -- works
- added host to engine via port 22222 -- works
- try to ssh host via port 22222 -- works
Comment 12 Itamar Heim 2014-01-21 17:24:27 EST
Closing - RHEV 3.3 Released
Comment 13 Itamar Heim 2014-01-21 17:25:18 EST
Closing - RHEV 3.3 Released
Comment 14 Itamar Heim 2014-01-21 17:28:51 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.