Bug 1169178 - [RHCI] [Install] The permissions required for the internal ISO domain must be clarified
Summary: [RHCI] [Install] The permissions required for the internal ISO domain must be...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Deadline: 2014-12-18
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Lucy Bopf
QA Contact: Andrew Dahms
URL:
Whiteboard:
Depends On: 1021182 1169176
Blocks: 1174605
TreeView+ depends on / blocked
 
Reported: 2014-12-01 00:20 UTC by Andrew Dahms
Modified: 2014-12-16 06:49 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1169176
Environment:
Last Closed: 2014-12-16 06:49:59 UTC
oVirt Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Andrew Dahms 2014-12-01 00:20:52 UTC 
+++ This bug was initially created as a clone of Bug #1169176 +++

Guides: cs22957, cs22967

By default, access to the internal ISO domain created when you run the engine-setup command is restricted to the machine where the Manager is hosted. This prevents the ISO domain from being mounted on a host in the environment, meaning that even though the ISO domain itself is created correctly, all attempts to attach it to a data center fail.

The permissions that users must configure for the ISO domain as part of running the engine-setup command must be clarified. In particular, is there a 'recommended' setting such as restricting access to only the subnet or network where the Manager and hosts are located?

This bug affects 41681.
Comment 1 Lucy Bopf 2014-12-09 07:11:58 UTC 
The engine-setup output that deals with the ISO domain also needs to be updated as part of this bug.

The warning message was updated in the RHEV docs as part of 3.5 beta--"Local ISO domain ACL - note that the default will restrict access to 0.0.0.0/0.0.0.0 only, for security reasons [0.0.0.0/0.0.0.0(rw)]:"--but the default network was carried over from 3.4. (This probably happened because 0.0.0.0/0.0.0.0 at first appears to be placeholder, stripped of identifying information.) So, the message currently says that access is restricted to the entire network, for security reasons. The intended behaviour is that access is restricted to the Manager machine. All instances of 0.0.0.0/0.0.0.0 must be changed to either 'localhost' or <replaceable>manager-fqdn</replaceable>. In the RHCI docs, the warning message also needs to be added.

This affects topic 41681.
Comment 2 Lucy Bopf 2014-12-16 05:14:33 UTC 
Edit: The configuration change described in Comment #1 was only implemented from 3.5. Since RHCI currently uses RHEV 3.4, the change is not yet required. I am testing the implementation of the local ISO domain on 3.4 to confirm that the 3.4 permissions allow the local ISO domain to be attached to a data center.

As part of this bug, I will also update the output of engine-setup. This involves simply swapping the 'WebSocket Proxy' and 'ISO domain' steps.
Comment 3 Lucy Bopf 2014-12-16 06:49:59 UTC 
After some research and testing, I have concluded that the ISO domain created in 3.4 is indeed configured with world readable-writable permissions. As such, any host in the environment is able to mount the ISO domain, and it can be attached to a data center. This was verified using nfs-check.py from the host to access the ISO domain. (The ISO domain could not be attached to a data center in my particular testing environment, because my environment does not have a fully qualified domain name. One of the prerequisites for RHEV installation in RHCI is "the fully qualified domain name of the system on which the Manager is to be installed", so this will not be an issue for users.)

I am closing this as NOTABUG. We will need to revisit this when RHCI supports RHEV 3.5.
Note You need to log in before you can comment on or make changes to this bug.