Description of problem: When trying to deploy self hosted engine using command hosted-engine --deploy it fails with [ ERROR ] Failed to execute stage 'Environment setup': Command '/bin/systemctl' failed to execute in /var/log/ovirt-hosted-engine-setup/ovirt-hosted-engine-setup-20140312153801.log we can see 2014-03-12 15:41:12 DEBUG otopi.context context.dumpEnvironment:478 ENV NETWORK/firewalldAvailable=bool:'False' despite the fact firewalld is available and running [root@dell-r210ii-08 ~]# /bin/systemctl | grep firewall firewalld.service loaded active running firewalld - dynamic firewall daemon Version-Release number of selected component (if applicable): [root@dell-r210ii-08 ~]# cat /etc/redhat-release Fedora release 19 (Schrödinger’s Cat) [root@dell-r210ii-08 ~]# rpm -qa | grep otopi otopi-1.2.0-0.9.rc3.fc19.noarch [root@dell-r210ii-08 ~]# rpm -qa | grep vdsm vdsm-4.14.5-0.fc19.x86_64 [root@dell-r210ii-08 ~]# rpm -qa | grep hosted ovirt-hosted-engine-setup-1.1.1-1.fc19.noarch ovirt-hosted-engine-ha-1.1.1-1.fc19.noarch How reproducible: 100% Steps to Reproduce: 1. yum install ovirt-hosted-engine-setup -y && hosted-engine --deploy Actual results: otopi does not detect firewalld service properly Expected results: otopi detects firewalld service properly Additional info: at the beginning there was a problem with PKI [ ERROR ] Failed to execute stage 'Environment setup': [Errno 2] No such file or directory: '/etc/pki/libvirt/clientcert.pem' it can be fixed by mkdir /etc/pki/libvirt
why don't you attach logs?
(In reply to Alon Bar-Lev from comment #1) > why don't you attach logs? sorry my bad, attaching
Created attachment 875375 [details] logs
I kind of think this is on purpose. We do not support host (vdsm) with firewalld. 2014-03-17 09:32:01 DEBUG otopi.context context.dumpEnvironment:478 ENV NETWORK/firewalldEnable=bool:'False' I leave sandro to close this.
(In reply to Alon Bar-Lev from comment #4) > I kind of think this is on purpose. We do not support host (vdsm) with > firewalld. We don't support firewalld on hosted engine host since engine doesn't support firewalld. But hosted-engine --deploy should not fail with [ ERROR ] Failed to execute stage 'Environment setup': Command '/bin/systemctl' failed to execute because of that. I've to take a better look at the logs.
Please rename bug or open one per issue... and close this one.
It failed on vdsmd not on firewalld. And vdsm.log is 0 byte so it seems like bug #1055153 . So, for the systemctl failure, please refer to bug #1055153 For the firewalld support disabled, going to close this as closed cantfix due to missing support on ovirt-engine deploy to firewalld ( bug #995362 )
(In reply to Sandro Bonazzola from comment #5) > (In reply to Alon Bar-Lev from comment #4) > > I kind of think this is on purpose. We do not support host (vdsm) with > > firewalld. > > We don't support firewalld on hosted engine host since engine doesn't > support firewalld. > But hosted-engine --deploy should not fail with > > [ ERROR ] Failed to execute stage 'Environment setup': Command > '/bin/systemctl' failed to execute > > because of that. > I've to take a better look at the logs. And what will we do when RHEL 7 is out? Red Hat Enterprise Linux 7.0 Beta ships with the dynamic firewall daemon, firewalld ( source https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html-single/7.0_Release_Notes/index.html#chap-networking ) I think we need to add this support.
AFAIK iptables is still supported on RHEL7. I've converted this bug to a RFE for adding FirewallD support when ovirt will support it, but still can't fix this now.
*** Bug 1107805 has been marked as a duplicate of this bug. ***
This is an automated message. This Bugzilla report has been opened on a version which is not maintained anymore. Please check if this bug is still relevant in oVirt 3.5.4. If it's not relevant anymore, please close it (you may use EOL or CURRENT RELEASE resolution) If it's an RFE please update the version to 4.0 if still relevant.
Hi Sandro, I can say that we do not have problem with vdsmd service on RHEL7 hosts under 3.5.4, but what about support of firewalld service, have you some information about it?
No plans for firewalld support yet, so still valid.
(In reply to Sandro Bonazzola from comment #14) > No plans for firewalld support yet, so still valid. Any updates?
(In reply to Yaniv Kaul from comment #15) > (In reply to Sandro Bonazzola from comment #14) > > No plans for firewalld support yet, so still valid. > > Any updates? There are plans to add firewalld configuration using ansible on engine side. When it will be ready I think hosted-engine setup won't need firewalld support anymore unless we want firewalld being up and running during the initial setup on first host.
Simone, Martin, can we move this to modified with the firewalld ansible post-deploy handling?
AFAIK hosted engine setup is adding host using RESTAPI engine call, so if firewalld is set on the cluster (by default from 4.2), then firewalld is configured, enabled and started during host-deploy flow. So the only question which comes to mind is: Do hosted engine HA deamons communicate directly over network among themselves and if so, are ports required for this communication included in ports configured by ovirt-host-deploy-firewalld Ansible role [1]? [1] https://github.com/oVirt/ovirt-ansible/tree/master/roles/ovirt-host-deploy-firewalld/vars
hosted-engine --deploy also needs to handle the firewall for the stage before the engine is up. This used to be particularly important for accessing the engine vm console using spice/vnc, before the appliance flow was introduced and before we moved to connect using virtual serial console. A quick grep FIREWALLD_SERVICES finds: 1. hosted-console Can be considered deprecated/obsoleted, since bug 1333449? 2. hosted-cockpit Obviously still needed, was added for bug 1335426. Anyone knows if anything else handles it these days? 3. hosted-gluster No idea, perhaps gdeploy handles it.
This is fixed with node zero deployment in oVirt 4.2.