Bug 1150328 - Missing firewall rules prevent connection to virtual-machine consoles via webadmin
Summary: Missing firewall rules prevent connection to virtual-machine consoles via web...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.5.0
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
: 3.5.0
Assignee: Douglas Schilling Landgraf
QA Contact: Virtualization Bugs
URL:
Whiteboard: node
Depends On:
Blocks: rhev35betablocker rhev35rcblocker rhev35gablocker
TreeView+ depends on / blocked
 
Reported: 2014-10-08 00:11 UTC by Douglas Schilling Landgraf
Modified: 2016-02-10 20:09 UTC (History)
14 users (show)

Fixed In Version: rhev-hypervisor6-6.6-20141218.0.iso rhev-hypervisor7-7.0-20141218.0.iso
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 21:02:39 UTC
oVirt Team: Node
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1152958 0 high CLOSED An error occurred while applying SNMP changes 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2015:0160 0 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update 2015-02-12 01:34:52 UTC
oVirt gerrit 33915 0 master ABANDONED rhevh7-post: add the ovirt xml firewalld file Never
oVirt gerrit 33938 0 master MERGED firewall: Use correct logic if firewalld is used Never
oVirt gerrit 33943 0 master MERGED rhevh7-install: replace firewalld to iptables Never
oVirt gerrit 33944 0 master MERGED rhevh7-post: initial iptables rules Never

Internal Links: 1152958

Description Douglas Schilling Landgraf 2014-10-08 00:11:35 UTC
Description of problem:

- Create a virtual machine in ovirt-node with spice protocol
- Try to open the virtual-machine display via Admin Portal.

Version-Release number of selected component (if applicable):

- rhev-hypervisor7-7.0-20141006.0
  
Actual results:

Cannot open

Expected results:

Should display to users the virtual machine.

Additional info:

Firewalld issue.

Comment 1 Fabian Deutsch 2014-10-08 08:47:23 UTC
Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left to Node to open the relevant ports?

Comment 2 Alon Bar-Lev 2014-10-08 08:51:35 UTC
(In reply to Fabian Deutsch from comment #1)
> Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left
> to Node to open the relevant ports?

yes, host-deploy sets /etc/sysconfig/iptables and persist it, if user did not uncheck the "configure firewall".

firewalld is not used in hypervisor for now.

Comment 3 Fabian Deutsch 2014-10-08 14:10:13 UTC
(In reply to Alon Bar-Lev from comment #2)
> (In reply to Fabian Deutsch from comment #1)
> > Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left
> > to Node to open the relevant ports?
> 
> yes, host-deploy sets /etc/sysconfig/iptables and persist it, if user did
> not uncheck the "configure firewall".
> 
> firewalld is not used in hypervisor for now.

But - is host-edploy or vdsm now also resüponsible to open the ports on Node - or do you expect Node to do this?

Comment 4 Alon Bar-Lev 2014-10-08 17:00:47 UTC
(In reply to Fabian Deutsch from comment #3)
> (In reply to Alon Bar-Lev from comment #2)
> > (In reply to Fabian Deutsch from comment #1)
> > > Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left
> > > to Node to open the relevant ports?
> > 
> > yes, host-deploy sets /etc/sysconfig/iptables and persist it, if user did
> > not uncheck the "configure firewall".
> > 
> > firewalld is not used in hypervisor for now.
> 
> But - is host-edploy or vdsm now also resüponsible to open the ports on Node
> - or do you expect Node to do this?

as I wrote, host-deploy is overriding iptables and starts iptables on machine. please confirm iptables contains invalid content post deploy and/or iptables is down and/or firewalld is up.

Comment 5 Alon Bar-Lev 2014-10-08 18:47:25 UTC
please update bug subject to root cause.

Comment 8 Ying Cui 2014-10-09 11:54:35 UTC
bug 1128033 is verified, we can reproduce this bug now, and qa_ack+

Comment 10 haiyang,dong 2015-01-21 07:38:04 UTC
Test version:
rhev-hypervisor7-7.0-20150119.0.1.iso	
ovirt-node-3.2.1-5.el7.noarch
Red Hat Enterprise Virtualization Manager Version: 3.5.0-0.30.el6ev

Test steps:
1. Create a virtual machine in rhevh with spice protocol
2. Try to open the virtual-machine display via Admin Portal.

Test result:
display to users the virtual machine console success

so this bug has been fixed, changed the status into "VERIFIED".

Comment 12 errata-xmlrpc 2015-02-11 21:02:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html


Note You need to log in before you can comment on or make changes to this bug.