Description of problem: iptables is getting so many same rules in the file: # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 Version-Release number of selected component (if applicable): Red Hat Enterprise Virtualization Hypervisor 6.6 (20150128.0.el6ev) redhat-release-server-6Server-6.6.0.3.el6_6.x86_64 vdsm-4.14.18-6.el6ev.x86_64 iptables-1.4.7-14.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. Install RHEV-H 6.6 (20150128.0.el6ev) 2. Reboot the host 3. Every reboot appends the /etc/sysconfig/iptables Actual results: There is a append or rule in iptables. Expected results: There should not be any change in firewall rules while rebooting host. Additional info: On all hypervisors, customer is getting this ranging from 16 to 47 times on the INPUT chain. Not sure, but could be below patch caused every reboot to append vdsm rule in iptables. # cat /etc/ovirt-plugins.d/vdsm-plugin.firewall #ports and protocols that vdsm needs opened 54321,tcp Patch which may have caused this: https://gerrit.ovirt.org/#/c/17843/ https://gerrit.ovirt.org/#/c/17843/2/src/ovirt/node/utils/firewall.py Someone needs to check & confirm the findings.
Reopening this bug according to comment 8.
Ulhas, can you please provide the file /config/files ? Maybe the iptables config got persisted, which could cause this behavior.
this is an automated message. oVirt 3.6.0 RC3 has been released and GA is targeted to next week, Nov 4th 2015. Please review this bug and if not a blocker, please postpone to a later release. All bugs not postponed on GA release will be automatically re-targeted to - 3.6.1 if severity >= high - 4.0 if severity < high
Fabian, see my comment 7, this bug only existed in RHEV-H 6, not impact RHEV-H 7, so if you plan to get this fix to be verified, we need RHEV-H 6 for 3.5.z build. and flag need 3.5.z only.
According to the bug description steps to verify this bug on the versions: # rpm -qa ovirt-node ovirt-node-3.2.3-30.el6.noarch # cat /etc/redhat-release Red Hat Enterprise Virtualization Hypervisor release 6.7 (20151218.1.el6ev) Test steps: 1. Installed RHEV-H 6.7 2. Check # iptables --list | grep 54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 3. Reboot the rhevh host 4. Check # iptables --list | grep 54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 5. Reboot the rhevh host 6. Check # iptables --list | grep 54321 ACCEPT tcp -- anywhere anywhere tcp dpt:54321 Result: There did not append vdsm rule in iptables after every reboot RHEV-H.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0031.html