Description of problem: RHEV 3.3 now allows user to inform Host SSH port for host deployment: Hosts / New / General / SSH Port Regardless the port informed, if "Automatically configure host firewall" is checked, Host firewall will be configured to allow access to port 22. As consequence, Host cannot be accessed through ssh after deployment. Version-Release number of selected component (if applicable): RHEVM: rhevm-3.3.0-0.25.beta1.el6ev.noarch ovirt-host-deploy-1.1.1-1.el6ev.noarch HYPERVISOR: vdsm-4.13.0-0.2.beta1.el6ev.x86_64 How reproducible: 100% Steps to Reproduce: - Change sshd port from 22 to something else. e.g. 2222. - Add Host to RHEV. Inform ssh port and keep "Automatically configure host firewall" checked. - After deployment, try to ssh Host using port 2222. Actual results: Cannot access Host. Expected results: ovirt-host-deploy should be able to configure Host firewall to accept connection in the ssh port informed in "SSH Port" field ("New Host" Admin Portal dialog).
Up until now I thought that people that change the default ssh port know what they are doing, and address dynamic firewall configuration when supporting firewalld. But you are right it should be addressed.
Shai Revivo 2013-10-25 15:58:49 EDT Severity: medium → high Why high? this is not common scenario at all.
Because if a customer would like to use it he can't ... even if not common. other than that i would like this fix to be verified instead of closed upstream, this is the main reason for pushing it to high. (In reply to Alon Bar-Lev from comment #3) > Shai Revivo 2013-10-25 15:58:49 EDT > Severity: medium → high > > Why high? this is not common scenario at all.
Tareq Alayan 2013-10-30 08:20:46 EDT Status: ON_QA → ASSIGNED Verified: FailedQA Without logs or analysis, it is not failing.
tested on rhevm-3.3.0-0.28.beta1.el6ev.noarch - Changed default port to 22222 - Allow port on iptables - ssh host -p 22222 -lroot -- works - added host to engine via port 22222 -- works - try to ssh host via port 22222 didn't work note that is20.1 contains : ovirt-host-deploy-1.1.1-1.el6ev.noarch
engine logs, host-deploy logs, content of /etc/sysconfig/iptables, events from /var/log/messages, /var/log/secure. "didn't work" accepted only from end-users.
Created attachment 817461 [details] logs
i think that the fix is not in is20.1 is20.1 contains : ovirt-host-deploy-1.1.1-1.el6ev.noarch
Looking at: talayan-vdc02.scl.lab.tlv.redhat.com PGPASSWORD=2923jdpY psql -U engine -d engine -h localhost -c "select * from vdc_options where option_name='IPTablesConfig'" Produces output that does not match[1]. The database script[2] does not match[1]. So the robot is wrong: --- rhev-integ 2013-10-24 14:21:29 EDT Status: MODIFIED → ON_QA Fixed In Version: is20 --- This will be included in is21 I guess. [1] http://gerrit.ovirt.org/20309 [2] /usr/share/ovirt-engine/dbscripts/upgrade/pre_upgrade/0000_config.sql
Verified. tested on rhevm-3.3.0-0.30.beta1.el6ev.noarch - Changed default port to 22222 - Allow port on iptables - ssh host -p 22222 -lroot -- works - added host to engine via port 22222 -- works - try to ssh host via port 22222 -- works
Closing - RHEV 3.3 Released