Bug 1023316 - engine-setup incorrectly directs users to use firewall-cmd on RHEL when it's only available on Fedora
engine-setup incorrectly directs users to use firewall-cmd on RHEL when it's ...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.3.0
Unspecified Unspecified
low Severity low
: ---
: 3.3.0
Assigned To: Yedidyah Bar David
Jiri Belka
integration
: EasyFix, Reopened, Triaged
Depends On:
Blocks: 3.3rc1
  Show dependency treegraph
 
Reported: 2013-10-25 03:59 EDT by Peter Robinson
Modified: 2014-07-09 05:51 EDT (History)
13 users (show)

See Also:
Fixed In Version: av3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-16 09:18:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 20737 None None None Never
oVirt gerrit 22181 None None None Never

  None (edit)
Description Peter Robinson 2013-10-25 03:59:33 EDT
During an upgrade (likely the same for install) engine-setup advises the following:

          The following network ports should be opened:
              tcp:111
              tcp:2049
              tcp:32803
              tcp:443
              tcp:662
              tcp:80
              tcp:875
              tcp:892
              udp:111
              udp:32769
              udp:662
              udp:875
              udp:892
          An example of the required configuration for iptables can be found at:
              /etc/ovirt-engine/iptables.example
          In order to configure firewalld, copy the files from
          /etc/ovirt-engine/firewalld to /etc/firewalld/services
          and execute the following commands:
              firewall-cmd -service ovirt-nfs
              firewall-cmd -service ovirt-http
              firewall-cmd -service ovirt-https

When firewall-cmd isn't available on RHEL but is rather a feature in Fedora. Instead it should be advising to edit /etc/sysconfig/iptables and restarting the firewall.
Comment 1 Alon Bar-Lev 2013-10-29 11:31:38 EDT
I think that we added this for manual setting, just print the options, user can select whatever he wishes. I am unsure it is wroth conditionals or distro specific notes, for example if user does want to install firewalld on rhel (manually) he has usage.
Comment 2 Yedidyah Bar David 2013-10-29 17:12:13 EDT
(In reply to Alon Bar-Lev from comment #1)
> I think that we added this for manual setting, just print the options, user
> can select whatever he wishes. I am unsure it is wroth conditionals or
> distro specific notes, for example if user does want to install firewalld on
> rhel (manually) he has usage.

Agreed. What do you say? We can change the text if you think it's not clear enough - but note that this appears only if user explicitly chose to not configure iptables automatically.
Comment 3 Sandro Bonazzola 2013-11-06 02:52:29 EST
I think that this bug can be closed as not a bug as per comment #1.
Comment 4 Peter Robinson 2013-11-06 05:17:17 EST
(In reply to Yedidyah Bar David from comment #2)
> (In reply to Alon Bar-Lev from comment #1)
> > I think that we added this for manual setting, just print the options, user
> > can select whatever he wishes. I am unsure it is wroth conditionals or
> > distro specific notes, for example if user does want to install firewalld on
> > rhel (manually) he has usage.
> 
> Agreed. What do you say? We can change the text if you think it's not clear
> enough - but note that this appears only if user explicitly chose to not
> configure iptables automatically.

Is firewalld supported on RHEL-6? I don't believe it is, it's certainly not in the RHEL repos. In both the original install and the upgrade I took the default choices and got this message. It's incorrect and hence shouldn't be there as it'll cause confusion and hence likely support issues.
Comment 5 Alon Bar-Lev 2013-11-06 05:23:20 EST
(In reply to Peter Robinson from comment #4)
> Is firewalld supported on RHEL-6? I don't believe it is, it's certainly not
> in the RHEL repos. In both the original install and the upgrade I took the
> default choices and got this message. It's incorrect and hence shouldn't be
> there as it'll cause confusion and hence likely support issues.

Please keep in mind that product is not rhel only.

this product may be installed when either firewalld *manually* installed, or at rhel-7 in which there will be probably firewalld, and it will support that configuration.

Removing a harmless text of conditional instruction just because a specific configuration is not supported is not worth the effort of maintaining downstream specific patch.
Comment 6 Peter Robinson 2013-11-06 05:34:28 EST
> Please keep in mind that product is not rhel only.
> 
> this product may be installed when either firewalld *manually* installed, or
> at rhel-7 in which there will be probably firewalld, and it will support
> that configuration.

I am fully aware this isn't just RHEL only which is why the bug is reported against the Red Hat RHEV component which is the paid and supported product and NOT the upstream oVirt project or the Fedora oVirt component.
Comment 7 Alon Bar-Lev 2013-11-06 05:41:41 EST
(In reply to Peter Robinson from comment #6)
> > Please keep in mind that product is not rhel only.
> > 
> > this product may be installed when either firewalld *manually* installed, or
> > at rhel-7 in which there will be probably firewalld, and it will support
> > that configuration.
> 
> I am fully aware this isn't just RHEL only which is why the bug is reported
> against the Red Hat RHEV component which is the paid and supported product
> and NOT the upstream oVirt project or the Fedora oVirt component.

You still ignore the arguments:

1. product supports firewalld, the existence or absent of firewalld from system is irrelevant.

2. current product version will work with firewalld if manually installed by sysadmin (from sources, external repo or similar).

3. current product version will work on rhel-7 leveraging firewalld.

4. the message is issue only if user chose not to configure firewall at all, to provide the sysadmin information of future manual steps that can be taken in order to apply firewall rules.

If you think that the sysadmin cannot understand that the following message is relevant only if he has firewalld configuration, we can modify it to any better phrasing.
---
          In order to configure firewalld, copy the files from
          /etc/ovirt-engine/firewalld to /etc/firewalld/services
          and execute the following commands:
              firewall-cmd -service ovirt-nfs
              firewall-cmd -service ovirt-http
              firewall-cmd -service ovirt-https
---

Thanks,
Comment 8 Peter Robinson 2013-11-06 07:17:36 EST
> You still ignore the arguments:

I don't ignore any arguments.

> 1. product supports firewalld, the existence or absent of firewalld from
> system is irrelevant.

It's completely relevant, its instructing the use to do something they can't and in the case of the Enterprise Product on currently released and supported platforms (not some product of the future) something that is completely out of support.

> 2. current product version will work with firewalld if manually installed by
> sysadmin (from sources, external repo or similar).

I have no doubt but it's very unlikely for customers that are paying for support and GSS who have to support them.

It should be checking whether the firewalld binary is installed and giving appropriate contextual information.

> 3. current product version will work on rhel-7 leveraging firewalld.

There is no released version of RHEL-7 as yet and this bug report is against RHEV 3.3 beta which is currently only supported on RHEL-6. I'm not interested in what might happen in the future I'm interested in the current supported release of the Enterprise product. 

> 4. the message is issue only if user chose not to configure firewall at all,
> to provide the sysadmin information of future manual steps that can be taken
> in order to apply firewall rules.

The message is an issue if the user chose the default settings and options when installing an earlier release of RHEV. 

> If you think that the sysadmin cannot understand that the following message
> is relevant only if he has firewalld configuration, we can modify it to any
> better phrasing.

Or you could detect the presence of whether firewalld or a /etc/sysconfig/iptables config and show an appropriate configuration option.

You need to realise that what is displayed is used by users where their primary language may not be English and problems need to be dealt with by our GSS support organisation. All instructions need to be clear and accurate.
Comment 9 Alon Bar-Lev 2013-11-06 07:25:14 EST
(In reply to Peter Robinson from comment #8)
> Or you could detect the presence of whether firewalld or a
> /etc/sysconfig/iptables config and show an appropriate configuration option.

While these can be installed after setup, and the instructions are exactly for this purpose, so we cannot detect the presence of future installation, and we do want to provide the instruction for user to know what to do.

I prefer you suggest a phrasing that will be better for user who may optionally install or use firewalld within current setting.

Thanks!
Comment 10 Yedidyah Bar David 2013-11-20 16:38:06 EST
I intend to close this as notabug, because I truly think it isn't.

The best option I can see for supporting our customers is having a wiki page and/or KB article explaining the various parts of ovirt/rhevm and firewall configuration. I think this is beyond the scope of a summary text printed in the end of running setup.

I ran setup today several times (while working on other bugs), and the text seemed very natural to me. I am not a native English speaker (although leaving in a country where most unix users/admins prefer to set their locale to use English), and the text seemed very natural to me. I personally also think it's correct as-is - in order to configure firewalld, you have to do what's written below. When or where exactly you'll do this, engine-setup does not know - that's the whole point of this message. We specifically want to display it also if firewalld is not installed.

This text is passed through gettext, meaning it's subject to potential future translations if needed/wanted.

Comments are, as always, very welcome.

Thanks.
Comment 12 Sandro Bonazzola 2013-11-21 02:43:37 EST
(In reply to Yedidyah Bar David from comment #10)
> I intend to close this as notabug, because I truly think it isn't.

I agree.
Comment 13 Peter Robinson 2013-11-21 05:07:23 EST
Have you clarified that GSS are OK with that? h
Comment 14 Lee Yarwood 2013-11-21 06:29:02 EST
(In reply to Yedidyah Bar David from comment #10)
> I intend to close this as notabug, because I truly think it isn't.
> 
> The best option I can see for supporting our customers is having a wiki page
> and/or KB article explaining the various parts of ovirt/rhevm and firewall
> configuration. I think this is beyond the scope of a summary text printed in
> the end of running setup.

NACK, all we are asking for here is for the firewalld text to be removed downstream. The _product_ doesn't support this and thus it's just going to be confusing to customers and support associates.
Comment 15 Alon Bar-Lev 2013-11-21 06:50:20 EST
(In reply to Lee Yarwood from comment #14)
> (In reply to Yedidyah Bar David from comment #10)
> > I intend to close this as notabug, because I truly think it isn't.
> > 
> > The best option I can see for supporting our customers is having a wiki page
> > and/or KB article explaining the various parts of ovirt/rhevm and firewall
> > configuration. I think this is beyond the scope of a summary text printed in
> > the end of running setup.
> 
> NACK, all we are asking for here is for the firewalld text to be removed
> downstream. The _product_ doesn't support this and thus it's just going to
> be confusing to customers and support associates.

The _product_ has support for this, you want to disable that support.
Comment 16 Lee Yarwood 2013-11-21 08:13:33 EST
(In reply to Alon Bar-Lev from comment #15)
> (In reply to Lee Yarwood from comment #14)
> > (In reply to Yedidyah Bar David from comment #10)
> > > I intend to close this as notabug, because I truly think it isn't.
> > > 
> > > The best option I can see for supporting our customers is having a wiki page
> > > and/or KB article explaining the various parts of ovirt/rhevm and firewall
> > > configuration. I think this is beyond the scope of a summary text printed in
> > > the end of running setup.
> > 
> > NACK, all we are asking for here is for the firewalld text to be removed
> > downstream. The _product_ doesn't support this and thus it's just going to
> > be confusing to customers and support associates.
> 
> The _product_ has support for this, you want to disable that support.

From a customer POV the product is both RHEV-M and the underlying RHEL OS. As firewalld isn't shipped/supported in RHEL 6 and AFAIK there are no plans to do so this text is just confusing. Again we just want the text removed to avoid customers opening cases or calling in asking how they can enable it...

Feel free to ask PM for their opinion here.
Comment 18 Yedidyah Bar David 2013-11-28 04:12:16 EST
http://gerrit.ovirt.org/20737 introduced a new environment value, "supported firewall managers". It defaults to 'firewalld,iptables'.

http://gerrit.ovirt.org/21815 emits the configuration instructions only for supported managers.

This will allow adding downstream an answer file with:

[environment:default]
OVESETUP_CONFIG/supportedFirewallManagers=str:iptables

Which will make setup not show instructions for firewalld there.
Comment 19 Yedidyah Bar David 2013-11-28 08:18:59 EST
Squashed http://gerrit.ovirt.org/21815 into http://gerrit.ovirt.org/20737 per Alon's request.
Comment 21 Jiri Belka 2013-12-13 10:02:46 EST
ok, is27, just iptables nothing more.

          Do you want Setup to configure the firewall? (Yes, No) [Yes]: 
[ INFO  ] iptables will be configured as firewall manager.
Comment 22 Yedidyah Bar David 2013-12-15 02:19:17 EST
(In reply to Jiri Belka from comment #21)
> ok, is27, just iptables nothing more.
> 
>           Do you want Setup to configure the firewall? (Yes, No) [Yes]: 
> [ INFO  ] iptables will be configured as firewall manager.

The above does not prove that the bug was solved, the bug was about the message output at the end of setup if you select 'No' to this question.

Note that this is a new question. Details about this change can be found in https://bugzilla.redhat.com/show_bug.cgi?id=1024707#c9 .
Comment 23 Itamar Heim 2014-01-21 17:31:56 EST
Closing - RHEV 3.3 Released
Comment 24 Itamar Heim 2014-01-21 17:31:57 EST
Closing - RHEV 3.3 Released
Comment 25 Itamar Heim 2014-01-21 17:34:33 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.