Guide: cs22766 By default, access to the internal ISO domain created when you run the engine-setup command is restricted to the machine where the Manager is hosted. This prevents the ISO domain from being mounted on a host in the environment, meaning that even though the ISO domain itself is created correctly, all attempts to attach it to a data center fail. The permissions that users must configure for the ISO domain as part of running the engine-setup command must be clarified. In particular, is there a 'recommended' setting such as restricting access to only the subnet or network where the Manager and hosts are located? This bug affects 22200.
The engine-setup output that deals with the ISO domain also needs to be updated as part of this bug. The warning message was updated in the docs as part of 3.5 beta--"Local ISO domain ACL - note that the default will restrict access to 0.0.0.0/0.0.0.0 only, for security reasons [0.0.0.0/0.0.0.0(rw)]:"--but the default network was carried over from 3.4. (This probably happened because 0.0.0.0/0.0.0.0 at first appears to be placeholder, stripped of identifying information.) So, the message currently says that access is restricted to the entire network, for security reasons. The intended behaviour is that access is restricted to the Manager machine. All instances of 0.0.0.0/0.0.0.0 must be changed to either 'localhost' or <replaceable>manager-fqdn</replaceable>. This affects topics 22200 and 8653.
Discussion with developers on bug 1021182 suggests that users should be told to allocate permissions to only the hosts/networks that require access to the ISO domain. This can be done during engine-setup, or updated later through the '/etc/exports' file. This bug includes the following tasks: 1. Update the engine-setup output to make clear the change from world read-write to localhost only. (Topics 22200 and 8653) Add a line to Step 8. of topic 22200 telling users to specify the relevant hosts/networks that require access (if they know those details at the time). 2. Add a list item in the 'Prerequisites' section of topic 8653 explaining the default ISO settings, and the need for users to alter them. 3. Add a topic called something like 'Changing the Permissions for the Local ISO Domain'. The most logical place for this topic to go is before 'Attaching an Existing ISO domain to a Data Center' (7339) in the Administration Guide; however, I am inclined to think that attaching the local ISO domain is an installation task, and, as such, I may take the content from topic 7339 and rework it into a more specific topic for the Installation Guide.
Checked in Red_Hat_Enterprise_Virtualization-Installation_Guide-3.5-web-en-US-3.5-45.el6eng. Moving to VERIFIED.