Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1057139

Summary: [oVirt] fail to start VM due to FirewallD not running
Product: [Retired] oVirt Reporter: Mike Kolesnik <mkolesni>
Component: ovirt-hosted-engine-setupAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Pavlik <mpavlik>
Severity: high Docs Contact:
Priority: medium    
Version: 3.4CC: acathrow, bazulay, didi, gklein, iheim, laine, mgoldboi, mkolesni, pstehlik, sbonazzo, yeylon
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: ovirt-3.4.0-rc Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-31 12:31:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
VDSM log
none
Hosted engine setup log none

Description Mike Kolesnik 2014-01-23 14:03:04 UTC 
Description of problem:
'hosted-engine --deploy' not completing due to not being able to start the VM.


Version-Release number of selected component (if applicable):


How reproducible:
100%


Steps to Reproduce:
1. yum install ovirt-hosted-engine-setup
2. hosted-engine --deploy

Actual results:
[ INFO  ] Configuring VM
[ INFO  ] Updating hosted-engine configuration
[ INFO  ] Stage: Transaction commit
[ INFO  ] Stage: Closing up
[ INFO  ] Creating VM
[ ERROR ] Failed to execute stage 'Closing up': Cannot set temporary password for console connection. The VM may not have been created: please check VDSM logs
[ INFO  ] Stage: Clean up
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination



Expected results:
The deploy should work.


Additional info:
Comment 1 Mike Kolesnik 2014-01-23 14:03:44 UTC 
Created attachment 854405 [details]
VDSM log
Comment 2 Mike Kolesnik 2014-01-23 14:04:17 UTC 
Created attachment 854406 [details]
Hosted engine setup log
Comment 3 Sandro Bonazzola 2014-01-23 14:17:37 UTC 
Can you please also run:
 # rpm -qa |grep ovirt
 # rpm -qa |grep vdsm
Comment 4 Mike Kolesnik 2014-01-27 06:56:36 UTC 
[root@localhost ~]# rpm -qa | grep vdsm
vdsm-4.14.1-2.fc19.x86_64
vdsm-cli-4.14.1-2.fc19.noarch
vdsm-xmlrpc-4.14.1-2.fc19.noarch
vdsm-python-4.14.1-2.fc19.x86_64
vdsm-python-zombiereaper-4.14.1-2.fc19.noarch
[root@localhost ~]# rpm -qa | grep ovirt
libgovirt-0.1.0-1.fc19.x86_64
ovirt-guest-agent-common-1.0.8-2.fc19.noarch
ovirt-hosted-engine-ha-1.1.0-0.1.beta1.fc19.noarch
ovirt-host-deploy-1.2.0-0.1.beta.fc19.noarch
ovirt-hosted-engine-setup-1.1.0-0.1.beta1.fc19.noarch
ovirt-engine-sdk-python-3.4.0.2-1.20140114.gitbaccf38.fc19.noarch
ovirt-release-fedora-8-1.noarch
Comment 5 Sandro Bonazzola 2014-01-28 11:36:37 UTC 
Looking at the logs, the VM has been started by Thread-50:

Thread-50::DEBUG::2014-01-23 15:34:04,390::libvirtconnection::124::root::(wrapper) Unknown libvirterror: ecode: 63 edom: 33 level: 2 message: Error while building firewall: Some rules could not be created for interface vnet0: Failure to execute command '$EBT -t nat -N libvirt-J-vnet0' : '[91mFirewallD is not running[00m'.

Thread-50::DEBUG::2014-01-23 15:34:04,391::vm::2247::vm.Vm::(_startUnderlyingVm) vmId=`8086ca4f-c231-4955-8149-88133673bc7f`::_ongoingCreations released
Thread-50::ERROR::2014-01-23 15:34:04,391::vm::2273::vm.Vm::(_startUnderlyingVm) vmId=`8086ca4f-c231-4955-8149-88133673bc7f`::The vm start process failed
Traceback (most recent call last):
  File "/usr/share/vdsm/vm.py", line 2233, in _startUnderlyingVm
    self._run()
  File "/usr/share/vdsm/vm.py", line 3164, in _run
    self._connection.createXML(domxml, flags),
  File "/usr/lib64/python2.7/site-packages/vdsm/libvirtconnection.py", line 92, in wrapper
    ret = f(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/libvirt.py", line 2805, in createXML
    if ret is None:raise libvirtError('virDomainCreateXML() failed', conn=self)
libvirtError: Error while building firewall: Some rules could not be created for interface vnet0: Failure to execute command '$EBT -t nat -N libvirt-J-vnet0' : '[91mFirewallD is not running[00m'.

Thread-50::DEBUG::2014-01-23 15:34:04,394::vm::2725::vm.Vm::(setDownStatus) vmId=`8086ca4f-c231-4955-8149-88133673bc7f`::Changed state to Down: Error while building firewall: Some rules could not be created for interface vnet0: Failure to execute command '$EBT -t nat -N libvirt-J-vnet0' : '[91mFirewallD is not running[00m'.

Hosted engine only support iptables due to limitations in ovirt-engine. Not sure why libvirt should fail on firewalld here.
Comment 6 Dan Kenigsberg 2014-01-28 12:26:18 UTC 
Laine, any idea why firewalld is suddenly a requirement?
Comment 7 Laine Stump 2014-01-29 11:28:53 UTC 
The "FirewallD is not running" message comes from firewall-cmd, which libvirt calls instead of iptables/ebtables iff firewalld was enabled and running on the system *at the time libvirtd was started*.

Look in the logs for the following INFO level message:

   firewalld support disabled|enabled for nwfilter

This should only say "enabled" if firewalld is running at the time that libvirtd is started. If you verify that firewalld is not running when libvirtd is started, but this message says "enabled", then there is a bug in the code that is auto-detecting firewalld.

Otherwise, if firewalld was running at the time libvirtd was started, and the system administrator for some reason stopped it at some later time, they will also need to restart libvirtd in order for libvirt to rescan for iptables vs. firewall-cmd.
Comment 8 Dan Kenigsberg 2014-02-18 22:29:29 UTC 
Sandro, iirc, you shut firewalld down. According to comment 7, libvirtd should be (re)started only after that.
Comment 9 Sandro Bonazzola 2014-02-19 14:59:36 UTC 
(In reply to Dan Kenigsberg from comment #8)
> Sandro, iirc, you shut firewalld down. According to comment 7, libvirtd
> should be (re)started only after that.

So the workaround is shutdown firewalld before running hosted-engine --deploy.
And the fix is shutdown firewalld before restarting libvirtd in the code.
Comment 10 Sandro Bonazzola 2014-02-20 16:43:28 UTC 
> Otherwise, if firewalld was running at the time libvirtd was started, and
> the system administrator for some reason stopped it at some later time, they
> will also need to restart libvirtd in order for libvirt to rescan for
> iptables vs. firewall-cmd.

Laine, I'm going to fix this on hosted engine side, stopping firewalld before restarting libvirtd.
But I really think it's not wise to rely on the state of a firewall manager when the service is started. IMHO libvirt should check which firewall manager is running and use it or interact with systemd to be restarted if firewall manager service change state.
Comment 11 Sandro Bonazzola 2014-02-24 10:17:50 UTC 
merge on master and 1.1 branch.
Comment 12 Sandro Bonazzola 2014-03-03 15:23:48 UTC 
This is an automated message.

This BZ should be fixed in oVirt 3.4.0 RC repository, assignee please update the status of the bug to ON_QA once you've verified that the change is included in the build.
Comment 13 Martin Pavlik 2014-03-11 15:36:00 UTC 
works on ovirt-rc

had to use in order to make deploy command work

hosted-engine --deploy --otopi-environment="OVESETUP_SYSTEM/shmmax=int:68719476736"
Comment 14 Sandro Bonazzola 2014-03-11 15:41:13 UTC 
Moving back to ON_QA since --otopi-environment="OVESETUP_SYSTEM/shmmax=int:68719476736" has no effect on hosted-engine --deploy command.
If it fails without it and it works with it it's really a weird issue.
Comment 15 Martin Pavlik 2014-03-12 15:24:52 UTC 
at the moment this BZ is blocked by bug 1075687, otopi does not detect firewalld properly and therefore firewalld is not stopped during hosted-engine --deploy and vdsm fails to start
Comment 16 Sandro Bonazzola 2014-03-31 12:31:08 UTC 
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released