+++ This bug was initially created as a clone of Bug #1169176 +++ Guides: cs22957, cs22967 By default, access to the internal ISO domain created when you run the engine-setup command is restricted to the machine where the Manager is hosted. This prevents the ISO domain from being mounted on a host in the environment, meaning that even though the ISO domain itself is created correctly, all attempts to attach it to a data center fail. The permissions that users must configure for the ISO domain as part of running the engine-setup command must be clarified. In particular, is there a 'recommended' setting such as restricting access to only the subnet or network where the Manager and hosts are located? This bug affects 41681.
The engine-setup output that deals with the ISO domain also needs to be updated as part of this bug. The warning message was updated in the RHEV docs as part of 3.5 beta--"Local ISO domain ACL - note that the default will restrict access to 0.0.0.0/0.0.0.0 only, for security reasons [0.0.0.0/0.0.0.0(rw)]:"--but the default network was carried over from 3.4. (This probably happened because 0.0.0.0/0.0.0.0 at first appears to be placeholder, stripped of identifying information.) So, the message currently says that access is restricted to the entire network, for security reasons. The intended behaviour is that access is restricted to the Manager machine. All instances of 0.0.0.0/0.0.0.0 must be changed to either 'localhost' or <replaceable>manager-fqdn</replaceable>. In the RHCI docs, the warning message also needs to be added. This affects topic 41681.
Edit: The configuration change described in Comment #1 was only implemented from 3.5. Since RHCI currently uses RHEV 3.4, the change is not yet required. I am testing the implementation of the local ISO domain on 3.4 to confirm that the 3.4 permissions allow the local ISO domain to be attached to a data center. As part of this bug, I will also update the output of engine-setup. This involves simply swapping the 'WebSocket Proxy' and 'ISO domain' steps.
After some research and testing, I have concluded that the ISO domain created in 3.4 is indeed configured with world readable-writable permissions. As such, any host in the environment is able to mount the ISO domain, and it can be attached to a data center. This was verified using nfs-check.py from the host to access the ISO domain. (The ISO domain could not be attached to a data center in my particular testing environment, because my environment does not have a fully qualified domain name. One of the prerequisites for RHEV installation in RHCI is "the fully qualified domain name of the system on which the Manager is to be installed", so this will not be an issue for users.) I am closing this as NOTABUG. We will need to revisit this when RHCI supports RHEV 3.5.