Description of problem: currently you can't install hosted-engine without iptables because of the spec file, there is however no real need to require it in the spec file, because the setup explicitly asks the users if he want's to configure the local firewall Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1.try to install hosted-engine without iptables 2. 3. Actual results: does not work Expected results: does work Additional info: created BZ in order to track this as requested by sbonazzo on IRC. I maybe can submit the patch myself later today. This also is a prerequisite in order to use firewalld instead of iptables. also there are many enterprise environments where you do not run local firewalls, but hardware network appliances, which do the firewalling.
The change to require it was done in [1]. I don't remember anymore the exact reason, but basically, it was because libvirt stopped requiring iptables-service (actually iptables-ipv6, which provided it), so we did not get it anymore as an indirect vdsm dependency. So when fixing this bug, we have to consider all relevant flows, including setups where iptables is installed but iptables-service isn't. [1] https://gerrit.ovirt.org/#/q/I12139f9a9f5d4d542e42de00c7a479a2fcc0ccce,n,z
Tested on these components: ovirt-hosted-engine-setup-2.3.0-0.0.master.20180925121021.git7ceacf4.el7.noarch ovirt-hosted-engine-ha-2.3.0-0.0.master.20180921140632.20180921140629.gitb3aaef2.el7.noarch I've removed iptables and then installed ovirt-hosted-engine-setup and seen that iptables-1.4.21-24.1.el7_5.x86_64 got installed on host as dependency. Moving back to assigned.
Appliance was: ovirt-engine-appliance.noarch 4.3-20181014.1.el7
We removed it from ovirt-hosted-engine-setup spec file, the issue is that iptables and iptables-services are required by a lot of other packages including firewalld and libvirtd. See the full tree on https://paste.fedoraproject.org/paste/iav1mfCCskcdJL-ww3F96A
(In reply to Simone Tiraboschi from comment #4) > We removed it from ovirt-hosted-engine-setup spec file, the issue is that > iptables and iptables-services are required by a lot of other packages > including firewalld and libvirtd. > > See the full tree on > https://paste.fedoraproject.org/paste/iav1mfCCskcdJL-ww3F96A So what should I test here? It looks like meaningless to me to test this with provided reproductions steps.
I think we can just test that ovirt-hosted-engine-setup is not directly requiring iptables and iptables-service but please note that firewalld (and other direct or indirect dependency of ovirt-hosted-engine-setup) still requires them.
(In reply to Simone Tiraboschi from comment #6) > I think we can just test that ovirt-hosted-engine-setup is not directly > requiring iptables and iptables-service but please note that firewalld (and > other direct or indirect dependency of ovirt-hosted-engine-setup) still > requires them. why does ovirt-hosted-engine-setup require firewalld or iptables?
rpm -qaR ovirt-hosted-engine-setup* | grep iptables* # No dependent iptables by ovirt-hosted-engine-setup-2.3.0-0.0.master.20180925121021.git7ceacf4.el7.noarch or ovirt-hosted-engine-ha-2.3.0-0.0.master.20180921140632.20180921140629.gitb3aaef2.el7.noarch Moving to verified.
puma18 ~]# yum deplist ovirt-hosted-engine-setup* | grep libvirt* dependency: libvirt-client provider: libvirt-client.x86_64 3.9.0-14.el7_5.8 provider: libvirt-client.i686 3.9.0-14.el7_5.8 dependency: libvirt-daemon-config-network provider: libvirt-daemon-config-network.x86_64 3.9.0-14.el7_5.8 puma18 ~]# yum deplist libvirt* | grep iptables* dependency: iptables provider: iptables-services.x86_64 1.4.21-24.1.el7_5 provider: iptables.x86_64 1.4.21-24.1.el7_5 provider: iptables.i686 1.4.21-24.1.el7_5 dependency: iptables provider: iptables-services.x86_64 1.4.21-24.1.el7_5 provider: iptables.x86_64 1.4.21-24.1.el7_5 provider: iptables.i686 1.4.21-24.1.el7_5 dependency: iptables provider: iptables-services.x86_64 1.4.21-24.1.el7_5 provider: iptables.x86_64 1.4.21-24.1.el7_5 provider: iptables.i686 1.4.21-24.1.el7_5 dependency: iptables provider: iptables-services.x86_64 1.4.21-24.1.el7_5 provider: iptables.x86_64 1.4.21-24.1.el7_5 provider: iptables.i686 1.4.21-24.1.el7_5 ovirt-hosted-engine-setup doesn't requires iptables directly, hence moved to verified. In case that you still think that iptables have to be removed from other components, please open another bug on that matter.
This bugzilla is included in oVirt 4.2.7 release, published on November 2nd 2018. Since the problem described in this bug report should be resolved in oVirt 4.2.7 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.
Closed by mistake, moving back to qa -> verified
This bugzilla is included in oVirt 4.3.0 release, published on February 4th 2019. Since the problem described in this bug report should be resolved in oVirt 4.3.0 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.