Bug 1109326 – 3.4 upgrade does not set correct iptables rules when serving ISO domain from RHEV-M host

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1109326 - 3.4 upgrade does not set correct iptables rules when serving ISO domain from RHEV-M host

Summary:	3.4 upgrade does not set correct iptables rules when serving ISO domain from ...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-setup (Show other bugs)
Sub Component:
Version:	3.4.0
Hardware:	All All

Priority	high Severity high
Target Milestone:	---
Target Release:	3.5.0
Assigned To:	Simone Tiraboschi
QA Contact:	Pavel Stehlik
Docs Contact:

URL:
Whiteboard:	integration
Keywords:	ZStream

Duplicates:	1071306 (view as bug list)
Depends On:
Blocks:	1133612 1157678
	Show dependency tree / graph

Reported:	2014-06-13 12:41 EDT by Thom Carlin
Modified:	2015-02-11 13:03 EST (History)
CC List:	25 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	During upgrades, if automatic firewall configuration with iptables was chosen, NFS server ports were closed off. This caused problems for NFS storage domains. Now, NFS status is checked before iptables configuration is generated.
Story Points:	---
Clone Of:
Clones:	1157678 (view as bug list)
Environment:
Last Closed:	2015-02-11 13:03:37 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	906553	None	None	None	Never
oVirt gerrit	32867	master	MERGED	packaging: setup: keeping NFS ports open in case of preexisting exports	Never
oVirt gerrit	32874	ovirt-engine-3.5	MERGED	packaging: setup: keeping NFS ports open in case of preexisting exports	Never
oVirt gerrit	33085	master	MERGED	packaging: setup: Adding a dialog to let the user review iptables changes	Never
oVirt gerrit	33344	ovirt-engine-3.4	ABANDONED	packaging: setup: keeping NFS ports open in case of preexisting exports	Never
oVirt gerrit	33392	ovirt-engine-3.5	ABANDONED	packaging: setup: Adding a dialog to let the user review iptables changes	Never
oVirt gerrit	34011	ovirt-engine-3.5	ABANDONED	packaging: setup: fixing iptables review dialog	Never
oVirt gerrit	34257	master	MERGED	packaging: setup: fixing development environment	Never
oVirt gerrit	34441	ovirt-engine-3.5	MERGED	packaging: setup: fixing development environment	Never
Red Hat Product Errata	RHSA-2015:0158	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Virtualization Manager 3.5.0	2015-02-11 17:38:50 EST

Groups: None (edit)

Description Thom Carlin 2014-06-13 12:41:33 EDT

Description of problem:

If automatic firewall configuration is chosen, NFS server ports are closed off.  This causes problems for NFS storage domains.

Version-Release number of selected component (if applicable):

3.4

How reproducible:

Every time

Steps to Reproduce:
1. On a 3.3 RHEV-M system acting as a NFS server for storage domain
2. Upgrade RHEV-M to 3.4, taking defaults
3. Try to access NFS storage domain from hypervisor

Actual results:

Timeout

Expected results:

Access to storage domain

Additional info:

This could be viewed as a bug or as an RFE.  In my case, I encountered it on an ISO domain.

Comment 1 Thom Carlin 2014-06-13 12:47:45 EDT

Diagnosing the error may be difficult.  Once you do, an easy workaround is to add the appropriate iptables rules after the fact.

Comment 3 Itamar Heim 2014-09-09 12:15:19 EDT

sandro - please verify for:
1. clean install 3.3 with ISO domain and firewall, check rules, upgrade to 3.4 (with reconfigure firewall), check rules.
2. same from 3.4 to 3.5...

Comment 5 Sandro Bonazzola 2014-09-11 07:32:41 EDT

Simone is taking care of trying to reproduce the issue. Moving the needinfo on him.

Comment 6 Simone Tiraboschi 2014-09-11 11:10:45 EDT

Reproduced.
Upgrading from 3.3.4 to 3.4.2 it loses this rules:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:6100 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:662 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:662 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:875 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:875 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:892 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:892 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:32769 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32803

Comment 12 Dima Kuznetsov 2014-09-28 10:50:30 EDT

Hey, Simone.
I am using recent master rpms, and I have some problems with running engine-setup, it fails with the following message (pretty much default on all options):
[ ERROR ] Failed to execute stage 'Setup validation': 'str' object has no attribute 'review_config'

And this is the trace from the log:
2014-09-28 14:15:36 DEBUG otopi.context context._executeMethod:138 Stage validation METHOD otopi.plugins.ovirt_engine_setup.base.network.firewall_manager.Plugin._review_config
2014-09-28 14:15:36 DEBUG otopi.context context._executeMethod:152 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/otopi/context.py", line 142, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/base/network/firewall_manager.py", line 247, in _review_config
    manager.review_config()
AttributeError: 'str' object has no attribute 'review_config'
2014-09-28 14:15:36 ERROR otopi.context context._executeMethod:161 Failed to execute stage 'Setup validation': 'str' object has no attribute 'review_config'

Could it be somehow related to http://gerrit.ovirt.org/#/c/33085/ ?

Thanks

Comment 13 Simone Tiraboschi 2014-09-29 05:48:41 EDT

Yes, it's a fault of mine. I added a patch to address that case. Thanks.

Comment 14 Yedidyah Bar David 2014-10-13 02:14:41 EDT

*** Bug 1071306 has been marked as a duplicate of this bug. ***

Comment 16 Arthur Berezin 2014-10-26 05:20:37 EDT

Moving this to Scott.

Comment 17 Scott Herold 2014-10-27 08:53:30 EDT

Added to 3.4.4 tracker

Comment 20 Petr Beňas 2014-10-30 06:02:15 EDT

in vt8

Comment 23 errata-xmlrpc 2015-02-11 13:03:37 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0158.html

Note You need to log in before you can comment on or make changes to this bug.

aberezin
amureini
audgiri
bazulay
dfediuck
didi
dkuznets
dornelas
ecohen
gklein
gwatson
herrold
iheim
lbopf
lpeer
lveyde
mkalinin
pstehlik
rbalakri
Rhev-m-bugs
sbonazzo
sherold
stirabos
wdaniel
yeylon