Red Hat Bugzilla – Bug 1149970
[Docs] [Install] The list of firewall rules that engine-setup takes care of must be updated
Last modified: 2015-03-01 21:04:36 EST
The list of firewall rules that the engine-setup command configures must be updated. This list can be found here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5-Beta/html-single/Installation_Guide/index.html#sect-Firewalls In the first table, entries must be added for 6100 (noVNC and HTML5), and 7410 (Kdump). The full list of ports currently configured is as follows: -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 7410 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 6100 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT These lines can be found in the log files in /var/log/ovirt-engine/setup on the machine where the Manager is installed.
Checked in Red_Hat_Enterprise_Virtualization-Installation_Guide-3.5-en-US-3.5-33. Entries for ports 6100 and 7410 have been added as requested. Moving to VERIFIED.
sorry for a late response, but I think the port 6100 would deserve a little clarification port 6100 is needed for the websocket proxy access. It is specifically used _only_ when customer uses web-based console clients (noVNC, spice-html5) and is running the websocket proxy (which is a mandatory component in this case) on the engine host. 3.5 will/does support deployment of the proxy to a different host. And regular/standalone console clients do not need that I understand the description is a bit convoluted so please try to think of some sensible rephrase:-) again, my apologies about late response
Thanks for that info, Michal. How about: "[This port is] needed for websocket proxy access when using web-based console clients (noVNC and spice-html5) on the engine." ?
thanks. Just somehow make clear the websocket proxy may or may not be running on the engine host. There's probably a new section about deploying the proxy elsewhere since it's a new feature. But on monday morning I don't have any better wording to offer....:-)
(In reply to Michal Skrivanek from comment #11) > thanks. Just somehow make clear the websocket proxy may or may not be > running on the engine host. There's probably a new section about deploying > the proxy elsewhere since it's a new feature. > > But on monday morning I don't have any better wording to offer....:-) Completely understandable ;) Okay, how about: "[This port] provides websocket proxy access for web-based console clients (noVNC and spice-html5) when the websocket proxy is running on the Manager. If the websocket proxy is running on a different host, however, this port is not used." ?
sounds good!
Excellent, thanks Michal! Moving this to ON_QA. Documentation Link ------------------------------ https://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html-single/Installation_Guide/index.html#sect-Firewalls What Changed ------------------------------ Red Hat Enterprise Virtualization Manager Firewall Requirements [7850-727851] Added ports 6100 and 7410 Updated revision history [34615-727854] NVR ------------------------------ Red_Hat_Enterprise_Virtualization-Installation_Guide-3.5-web-en-US-3.5-37.el6eng
Content already published.