During an upgrade (likely the same for install) engine-setup advises the following: The following network ports should be opened: tcp:111 tcp:2049 tcp:32803 tcp:443 tcp:662 tcp:80 tcp:875 tcp:892 udp:111 udp:32769 udp:662 udp:875 udp:892 An example of the required configuration for iptables can be found at: /etc/ovirt-engine/iptables.example In order to configure firewalld, copy the files from /etc/ovirt-engine/firewalld to /etc/firewalld/services and execute the following commands: firewall-cmd -service ovirt-nfs firewall-cmd -service ovirt-http firewall-cmd -service ovirt-https When firewall-cmd isn't available on RHEL but is rather a feature in Fedora. Instead it should be advising to edit /etc/sysconfig/iptables and restarting the firewall.
I think that we added this for manual setting, just print the options, user can select whatever he wishes. I am unsure it is wroth conditionals or distro specific notes, for example if user does want to install firewalld on rhel (manually) he has usage.
(In reply to Alon Bar-Lev from comment #1) > I think that we added this for manual setting, just print the options, user > can select whatever he wishes. I am unsure it is wroth conditionals or > distro specific notes, for example if user does want to install firewalld on > rhel (manually) he has usage. Agreed. What do you say? We can change the text if you think it's not clear enough - but note that this appears only if user explicitly chose to not configure iptables automatically.
I think that this bug can be closed as not a bug as per comment #1.
(In reply to Yedidyah Bar David from comment #2) > (In reply to Alon Bar-Lev from comment #1) > > I think that we added this for manual setting, just print the options, user > > can select whatever he wishes. I am unsure it is wroth conditionals or > > distro specific notes, for example if user does want to install firewalld on > > rhel (manually) he has usage. > > Agreed. What do you say? We can change the text if you think it's not clear > enough - but note that this appears only if user explicitly chose to not > configure iptables automatically. Is firewalld supported on RHEL-6? I don't believe it is, it's certainly not in the RHEL repos. In both the original install and the upgrade I took the default choices and got this message. It's incorrect and hence shouldn't be there as it'll cause confusion and hence likely support issues.
(In reply to Peter Robinson from comment #4) > Is firewalld supported on RHEL-6? I don't believe it is, it's certainly not > in the RHEL repos. In both the original install and the upgrade I took the > default choices and got this message. It's incorrect and hence shouldn't be > there as it'll cause confusion and hence likely support issues. Please keep in mind that product is not rhel only. this product may be installed when either firewalld *manually* installed, or at rhel-7 in which there will be probably firewalld, and it will support that configuration. Removing a harmless text of conditional instruction just because a specific configuration is not supported is not worth the effort of maintaining downstream specific patch.
> Please keep in mind that product is not rhel only. > > this product may be installed when either firewalld *manually* installed, or > at rhel-7 in which there will be probably firewalld, and it will support > that configuration. I am fully aware this isn't just RHEL only which is why the bug is reported against the Red Hat RHEV component which is the paid and supported product and NOT the upstream oVirt project or the Fedora oVirt component.
(In reply to Peter Robinson from comment #6) > > Please keep in mind that product is not rhel only. > > > > this product may be installed when either firewalld *manually* installed, or > > at rhel-7 in which there will be probably firewalld, and it will support > > that configuration. > > I am fully aware this isn't just RHEL only which is why the bug is reported > against the Red Hat RHEV component which is the paid and supported product > and NOT the upstream oVirt project or the Fedora oVirt component. You still ignore the arguments: 1. product supports firewalld, the existence or absent of firewalld from system is irrelevant. 2. current product version will work with firewalld if manually installed by sysadmin (from sources, external repo or similar). 3. current product version will work on rhel-7 leveraging firewalld. 4. the message is issue only if user chose not to configure firewall at all, to provide the sysadmin information of future manual steps that can be taken in order to apply firewall rules. If you think that the sysadmin cannot understand that the following message is relevant only if he has firewalld configuration, we can modify it to any better phrasing. --- In order to configure firewalld, copy the files from /etc/ovirt-engine/firewalld to /etc/firewalld/services and execute the following commands: firewall-cmd -service ovirt-nfs firewall-cmd -service ovirt-http firewall-cmd -service ovirt-https --- Thanks,
> You still ignore the arguments: I don't ignore any arguments. > 1. product supports firewalld, the existence or absent of firewalld from > system is irrelevant. It's completely relevant, its instructing the use to do something they can't and in the case of the Enterprise Product on currently released and supported platforms (not some product of the future) something that is completely out of support. > 2. current product version will work with firewalld if manually installed by > sysadmin (from sources, external repo or similar). I have no doubt but it's very unlikely for customers that are paying for support and GSS who have to support them. It should be checking whether the firewalld binary is installed and giving appropriate contextual information. > 3. current product version will work on rhel-7 leveraging firewalld. There is no released version of RHEL-7 as yet and this bug report is against RHEV 3.3 beta which is currently only supported on RHEL-6. I'm not interested in what might happen in the future I'm interested in the current supported release of the Enterprise product. > 4. the message is issue only if user chose not to configure firewall at all, > to provide the sysadmin information of future manual steps that can be taken > in order to apply firewall rules. The message is an issue if the user chose the default settings and options when installing an earlier release of RHEV. > If you think that the sysadmin cannot understand that the following message > is relevant only if he has firewalld configuration, we can modify it to any > better phrasing. Or you could detect the presence of whether firewalld or a /etc/sysconfig/iptables config and show an appropriate configuration option. You need to realise that what is displayed is used by users where their primary language may not be English and problems need to be dealt with by our GSS support organisation. All instructions need to be clear and accurate.
(In reply to Peter Robinson from comment #8) > Or you could detect the presence of whether firewalld or a > /etc/sysconfig/iptables config and show an appropriate configuration option. While these can be installed after setup, and the instructions are exactly for this purpose, so we cannot detect the presence of future installation, and we do want to provide the instruction for user to know what to do. I prefer you suggest a phrasing that will be better for user who may optionally install or use firewalld within current setting. Thanks!
I intend to close this as notabug, because I truly think it isn't. The best option I can see for supporting our customers is having a wiki page and/or KB article explaining the various parts of ovirt/rhevm and firewall configuration. I think this is beyond the scope of a summary text printed in the end of running setup. I ran setup today several times (while working on other bugs), and the text seemed very natural to me. I am not a native English speaker (although leaving in a country where most unix users/admins prefer to set their locale to use English), and the text seemed very natural to me. I personally also think it's correct as-is - in order to configure firewalld, you have to do what's written below. When or where exactly you'll do this, engine-setup does not know - that's the whole point of this message. We specifically want to display it also if firewalld is not installed. This text is passed through gettext, meaning it's subject to potential future translations if needed/wanted. Comments are, as always, very welcome. Thanks.
(In reply to Yedidyah Bar David from comment #10) > I intend to close this as notabug, because I truly think it isn't. I agree.
Have you clarified that GSS are OK with that? h
(In reply to Yedidyah Bar David from comment #10) > I intend to close this as notabug, because I truly think it isn't. > > The best option I can see for supporting our customers is having a wiki page > and/or KB article explaining the various parts of ovirt/rhevm and firewall > configuration. I think this is beyond the scope of a summary text printed in > the end of running setup. NACK, all we are asking for here is for the firewalld text to be removed downstream. The _product_ doesn't support this and thus it's just going to be confusing to customers and support associates.
(In reply to Lee Yarwood from comment #14) > (In reply to Yedidyah Bar David from comment #10) > > I intend to close this as notabug, because I truly think it isn't. > > > > The best option I can see for supporting our customers is having a wiki page > > and/or KB article explaining the various parts of ovirt/rhevm and firewall > > configuration. I think this is beyond the scope of a summary text printed in > > the end of running setup. > > NACK, all we are asking for here is for the firewalld text to be removed > downstream. The _product_ doesn't support this and thus it's just going to > be confusing to customers and support associates. The _product_ has support for this, you want to disable that support.
(In reply to Alon Bar-Lev from comment #15) > (In reply to Lee Yarwood from comment #14) > > (In reply to Yedidyah Bar David from comment #10) > > > I intend to close this as notabug, because I truly think it isn't. > > > > > > The best option I can see for supporting our customers is having a wiki page > > > and/or KB article explaining the various parts of ovirt/rhevm and firewall > > > configuration. I think this is beyond the scope of a summary text printed in > > > the end of running setup. > > > > NACK, all we are asking for here is for the firewalld text to be removed > > downstream. The _product_ doesn't support this and thus it's just going to > > be confusing to customers and support associates. > > The _product_ has support for this, you want to disable that support. From a customer POV the product is both RHEV-M and the underlying RHEL OS. As firewalld isn't shipped/supported in RHEL 6 and AFAIK there are no plans to do so this text is just confusing. Again we just want the text removed to avoid customers opening cases or calling in asking how they can enable it... Feel free to ask PM for their opinion here.
http://gerrit.ovirt.org/20737 introduced a new environment value, "supported firewall managers". It defaults to 'firewalld,iptables'. http://gerrit.ovirt.org/21815 emits the configuration instructions only for supported managers. This will allow adding downstream an answer file with: [environment:default] OVESETUP_CONFIG/supportedFirewallManagers=str:iptables Which will make setup not show instructions for firewalld there.
Squashed http://gerrit.ovirt.org/21815 into http://gerrit.ovirt.org/20737 per Alon's request.
ok, is27, just iptables nothing more. Do you want Setup to configure the firewall? (Yes, No) [Yes]: [ INFO ] iptables will be configured as firewall manager.
(In reply to Jiri Belka from comment #21) > ok, is27, just iptables nothing more. > > Do you want Setup to configure the firewall? (Yes, No) [Yes]: > [ INFO ] iptables will be configured as firewall manager. The above does not prove that the bug was solved, the bug was about the message output at the end of setup if you select 'No' to this question. Note that this is a new question. Details about this change can be found in https://bugzilla.redhat.com/show_bug.cgi?id=1024707#c9 .
Closing - RHEV 3.3 Released