Bug 1109326 - 3.4 upgrade does not set correct iptables rules when serving ISO domain from RHEV-M host
Summary: 3.4 upgrade does not set correct iptables rules when serving ISO domain from ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup
Version: 3.4.0
Hardware: All
OS: All
high
high
Target Milestone: ---
: 3.5.0
Assignee: Simone Tiraboschi
QA Contact: Pavel Stehlik
URL:
Whiteboard: integration
: 1071306 (view as bug list)
Depends On:
Blocks: 1133612 1157678
TreeView+ depends on / blocked
 
Reported: 2014-06-13 16:41 UTC by Thom Carlin
Modified: 2019-04-28 08:38 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
During upgrades, if automatic firewall configuration with iptables was chosen, NFS server ports were closed off. This caused problems for NFS storage domains. Now, NFS status is checked before iptables configuration is generated.
Clone Of:
: 1157678 (view as bug list)
Environment:
Last Closed: 2015-02-11 18:03:37 UTC
oVirt Team: ---
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 906553 0 None None None Never
Red Hat Product Errata RHSA-2015:0158 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC
oVirt gerrit 32867 0 master MERGED packaging: setup: keeping NFS ports open in case of preexisting exports Never
oVirt gerrit 32874 0 ovirt-engine-3.5 MERGED packaging: setup: keeping NFS ports open in case of preexisting exports Never
oVirt gerrit 33085 0 master MERGED packaging: setup: Adding a dialog to let the user review iptables changes Never
oVirt gerrit 33344 0 ovirt-engine-3.4 ABANDONED packaging: setup: keeping NFS ports open in case of preexisting exports Never
oVirt gerrit 33392 0 ovirt-engine-3.5 ABANDONED packaging: setup: Adding a dialog to let the user review iptables changes Never
oVirt gerrit 34011 0 ovirt-engine-3.5 ABANDONED packaging: setup: fixing iptables review dialog Never
oVirt gerrit 34257 0 master MERGED packaging: setup: fixing development environment Never
oVirt gerrit 34441 0 ovirt-engine-3.5 MERGED packaging: setup: fixing development environment Never

Description Thom Carlin 2014-06-13 16:41:33 UTC
Description of problem:

If automatic firewall configuration is chosen, NFS server ports are closed off.  This causes problems for NFS storage domains.

Version-Release number of selected component (if applicable):

3.4

How reproducible:

Every time

Steps to Reproduce:
1. On a 3.3 RHEV-M system acting as a NFS server for storage domain
2. Upgrade RHEV-M to 3.4, taking defaults
3. Try to access NFS storage domain from hypervisor

Actual results:

Timeout

Expected results:

Access to storage domain

Additional info:

This could be viewed as a bug or as an RFE.  In my case, I encountered it on an ISO domain.

Comment 1 Thom Carlin 2014-06-13 16:47:45 UTC
Diagnosing the error may be difficult.  Once you do, an easy workaround is to add the appropriate iptables rules after the fact.

Comment 3 Itamar Heim 2014-09-09 16:15:19 UTC
sandro - please verify for:
1. clean install 3.3 with ISO domain and firewall, check rules, upgrade to 3.4 (with reconfigure firewall), check rules.
2. same from 3.4 to 3.5...

Comment 5 Sandro Bonazzola 2014-09-11 11:32:41 UTC
Simone is taking care of trying to reproduce the issue. Moving the needinfo on him.

Comment 6 Simone Tiraboschi 2014-09-11 15:10:45 UTC
Reproduced.
Upgrading from 3.3.4 to 3.4.2 it loses this rules:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6100 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:662 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:662 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:875 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:875 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:892 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:892 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:32769 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32803

Comment 12 Dima Kuznetsov 2014-09-28 14:50:30 UTC
Hey, Simone.
I am using recent master rpms, and I have some problems with running engine-setup, it fails with the following message (pretty much default on all options):
[ ERROR ] Failed to execute stage 'Setup validation': 'str' object has no attribute 'review_config'

And this is the trace from the log:
2014-09-28 14:15:36 DEBUG otopi.context context._executeMethod:138 Stage validation METHOD otopi.plugins.ovirt_engine_setup.base.network.firewall_manager.Plugin._review_config
2014-09-28 14:15:36 DEBUG otopi.context context._executeMethod:152 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/otopi/context.py", line 142, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/base/network/firewall_manager.py", line 247, in _review_config
    manager.review_config()
AttributeError: 'str' object has no attribute 'review_config'
2014-09-28 14:15:36 ERROR otopi.context context._executeMethod:161 Failed to execute stage 'Setup validation': 'str' object has no attribute 'review_config'

Could it be somehow related to http://gerrit.ovirt.org/#/c/33085/ ?

Thanks

Comment 13 Simone Tiraboschi 2014-09-29 09:48:41 UTC
Yes, it's a fault of mine. I added a patch to address that case. Thanks.

Comment 14 Yedidyah Bar David 2014-10-13 06:14:41 UTC
*** Bug 1071306 has been marked as a duplicate of this bug. ***

Comment 16 Arthur Berezin 2014-10-26 09:20:37 UTC
Moving this to Scott.

Comment 17 Scott Herold 2014-10-27 12:53:30 UTC
Added to 3.4.4 tracker

Comment 20 Petr Beňas 2014-10-30 10:02:15 UTC
in vt8

Comment 23 errata-xmlrpc 2015-02-11 18:03:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html


Note You need to log in before you can comment on or make changes to this bug.