Bug 1051019 - [RHEVM-RHS] iptables rules are not set on RHSS Nodes, when importing existing gluster cluster configurations
Summary: [RHEVM-RHS] iptables rules are not set on RHSS Nodes, when importing existing...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-webadmin-portal
Version: 3.3.0
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: 3.5.0
Assignee: anmol babu
QA Contact: SATHEESARAN
URL:
Whiteboard: gluster
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-09 14:52 UTC by SATHEESARAN
Modified: 2016-02-10 18:59 UTC (History)
13 users (show)

Fixed In Version: vt3
Doc Type: Bug Fix
Doc Text:
Cause: The configure firewall option wasn't present earlier in the import cluster pop-up that lists the hosts of the cluster. Fix: Added an option to configure firewall. User now has the option to configure firewall which is enabled by default. Result: Now, by default the firewall rules are set at the time of import of gluster cluster.
Clone Of:
Environment:
Last Closed: 2015-02-17 17:14:54 UTC
oVirt Team: Gluster
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 26267 0 master MERGED webadmin : Existing gluster cluster import iptables config Never

Description SATHEESARAN 2014-01-09 14:52:58 UTC 
Description of problem:
----------------------
While creating a gluster enabled cluster in RHEVM, there is a provision to import the existing gluster cluster ( Trusted Storage Pool ), rather than adding the host one by one to this cluster, and while doing so, iptables rules are not set on RHSS Nodes

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
glusterfs-3.4.0.55rhs-1.el6rhs
RHEVM 3.3 (IS31)

How reproducible:
-----------------
Always

Steps to Reproduce:
-------------------
1. Create 'N' RHSS Nodes , where 'N'>1
2. Create a cluster of RHSS Nodes, using 'gluster cli' on one of the RHSS Node
(i.e) gluster peer probe <RHSS-NODE-IP>
3. On RHEVM, create a 'GlusterFS' Datacenter (compatibility 3.3)
4. On RHEVM, create a gluster enabled cluster (compatibility 3.3) and while creating this cluster, check the option "import existing gluster configuration" and provide ip address of one of the RHSS Nodes in the cluster 
5. After all the Nodes are added to the cluster in RHEVM, check for iptables rules on those nodes

Actual results:
---------------
There are no iptables rules


Expected results:
-----------------
Required iptables(firewall) rules should be added while importing existing gluster configuration in to gluster enabled cluster

Additional Info:
================
When the same RHSS Nodes are added one by one to the gluster enabled cluster, iptable rules are set successfully
Comment 1 SATHEESARAN 2014-01-09 15:09:01 UTC 
Console logs on one of the RHSS Node :
======================================

There were 4 RHSS Nodes in the cluster, 10.70.37.86, 10.70.37.187, 10.70.37.198, 10.70.37.46. This can be seen by execution of following command on one of the peer

[Thu Jan  9 20:26:01 UTC 2014 root.37.86:~ ] # gluster pool list
UUID                                    Hostname        State
9d681c20-3328-4a6c-8fd0-76171d1bfc47    10.70.37.46     Connected 
7226ef33-768f-4965-a1f2-738bb00afc7d    10.70.37.198    Connected 
cb396333-6598-45fc-8468-dbf51dcb5563    10.70.37.187    Connected 
77c34f3e-6c32-42ba-af45-0732fa44f08e    localhost       Connected 

>>>>>> I imported this existing gluster configuration to the newly created gluster enabled cluster in RHEVM. After that checked iptables rules on one of the node, 10.70.37.187

[Thu Jan  9 20:28:59 UTC 2014 root.37.187:~ ] # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

>>>>>>> I added the same node individually to the gluster enabled cluster and checked for iptables rules

[Thu Jan  9 20:29:08 UTC 2014 root.37.187:~ ] # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:snmp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:24007 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:38465 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:38466 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:38467 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:nfs 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:38469 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:39543 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:55863 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:38468 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:963 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:965 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ctdb 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:24009:24108 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:49152:49251 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            PHYSDEV match ! --physdev-is-bridged reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Comment 2 Sahina Bose 2014-01-31 10:44:24 UTC 
During import of a cluster - we do not override existing iptables rules - which is why there's a difference observed in the firewall rules while following the "New host" flow vs. the "Import cluster" flow.

If we do no need to change this, the user should be prompted if he/she wants this overriding of firewall rules, IMO.
Comment 4 SATHEESARAN 2014-05-28 06:50:00 UTC 
Anmol,

Please provide RHEVM Version in Fixed-In-Version and not RHSC Version
Comment 5 anmol babu 2014-05-28 07:09:03 UTC 
Sorry,this will be in rhevm-3.5. But its now available in upstream master.
Comment 6 SATHEESARAN 2015-01-06 08:45:14 UTC 
Verified with RHEVM 3.5 - Version: 3.5.0-0.27.el6ev

iptables rules are added to RHSS Nodes even when the RHS cluster is imported in to RHEVM cluster.

Marking this bug as VERIFIED
Comment 7 SATHEESARAN 2015-02-02 15:40:42 UTC 
Anmol,

Made little changes to the doc_text. 
Removed the consequence section in that doc_text, as that is no longer relevant with the current fix.
Comment 8 Eyal Edri 2015-02-17 17:14:54 UTC 
rhev 3.5.0 was released. closing.
Note You need to log in before you can comment on or make changes to this bug.