Description of problem: EqualLogic storage arrays use iSCSI redirections to load balance between multiple members of the storage group and in determining which interfaces can be used, each of the possible interfaces on the EqualLogic boxes pings the interface the connection was initiated from. If the ping fails, that target interface is not used. If all pings fail, only one target interface is used, leading to reduced performance, especially in multipath scenarios. When oVirt is allowed to automatically configure iptables when adding a host, ping gets blocked. Version-Release number of selected component (if applicable): 3.3 (also the case on at least 3.2) How reproducible: Always Steps to Reproduce: 1. Add new host through webadmin 2. Configure node to use multiple iSCSI sessions or interfaces 3. Have a storage domain on EqualLogic storage Actual results: EqualLogic admin interface shows all connections going to 1 target IP address Expected results: Connection should be spread around the storage pool members that hold that volume and their interfaces. Additional info: tcpdump can be used to verify pings are being sent to the initiator interfaces from each potential target interface. IPTables shows that ICMP is not being allowed.
Looks like networking issue - Livant, can you handle this?
Historically, the strict firewall rules that are applied on hosts upon installation, have fallen into the domain of Doron. In my opinion, allowing incoming pings is a reasonable price to pay. Martin, even if this is not changed to become the default behavior, you can still edit the firewall applied by ovirt-host-deploy. (too bad I do not recall how exactly).
As you can see here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0523 and here: http://technet.microsoft.com/en-us/library/cc749323(v=ws.10).aspx ICMP echo has been dropped for quite some time now. If you wish to enable it, you can use engine-config to change the iptable rules stored in a key called IPTablesConfig. Note that there are additional Gluster and virt variants: IPTablesConfigForVirt, IPTablesConfigForGluster. So you can be more specific about it.
setting target release to current version for consideration and review. please do not push non-RFE bugs to an undefined target release to make sure bugs are reviewed for relevancy, fix, closure, etc.
This is an automated message. Re-targeting all non-blocker bugs still open on 3.4.0 to 3.4.1.
This is an automated message. oVirt 3.4.1 has been released. This issue has been retargeted to 3.5.0 since it has not been marked as high priority or severity issue, please retarget if needed.
This is an automated message. This Bugzilla report has been opened on a version which is not maintained anymore. Please check if this bug is still relevant in oVirt 3.5.4. If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution) If it's an RFE please update the version to 4.0 if still relevant.
This is an automated message. This Bugzilla report has been opened on a version which is not maintained anymore. Please check if this bug is still relevant in oVirt 3.5.4 and reopen if still an issue.