Bug 1255425 - Automatically configured firewall denies access of VMs to network
Automatically configured firewall denies access of VMs to network
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup (Show other bugs)
3.5.4
Unspecified Unspecified
high Severity high
: ---
: 3.6.0
Assigned To: Sandro Bonazzola
Artyom
integration
: Regression, Unconfirmed
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-20 10:29 EDT by movciari
Modified: 2017-02-08 06:43 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-08 07:12:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Integration
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
stirabos: needinfo-


Attachments (Terms of Use)

  None (edit)
Description movciari 2015-08-20 10:29:40 EDT
Description of problem:
On a new hosted-engine environment with firewall automatically configured by hosted-engine setup script, VMs don't have network access.
Network works correctly on hosted-engine VM and hosts have access to network, but default auto-generated iptables on hosted-engine hosts denied network access for any new VM I created in webadmin.

Version-Release number of selected component (if applicable):
ovirt-hosted-engine-setup-1.2.5.2-1.el7ev.noarch

How reproducible:
always

Steps to Reproduce:
1. Install hosted-engine on RHEL7.2, let the setup script configure firewall automatically
2. Create a new VM, try to install it from pxe or do anything else that requires network

Actual results:
VM can't access network

Expected results:
VM should be able to access network

Additional info:
iptables -F solved the problem, so I'm sure it's bad iptables configuration
Comment 1 Simone Tiraboschi 2015-08-28 09:21:41 EDT
I wasn't able to reproduce with hosted-engine from oVirt 3.6 Third Beta.

On my host I got this IPTables configuration:
[root@c7120150824he35u36 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:54321
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sunrpc
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:16514
ACCEPT     tcp  --  anywhere             anywhere             multiport dports rfb:6923
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 49152:49216
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             PHYSDEV match ! --physdev-is-bridged reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@c7120150824he35u36 ~]# 

Could you please attach the problematic one?
Comment 2 Sandro Bonazzola 2015-09-04 10:47:38 EDT
Reducing severity and priority since we can't reproduce.
movciari please provide needed info in order to reproduce.
Comment 3 Ilanit Stein 2015-09-08 02:55:45 EDT
Put qe_test_coverage since this bug flow is tested normally in the RHEV QE automation env.

Tested by alukiano, and didn't have such problem, on latest HE build for 3.6,
on august 30 2015.
Comment 4 Yaniv Lavi 2015-09-08 07:12:50 EDT
Michal, please reopen if you provide the needed info.

Note You need to log in before you can comment on or make changes to this bug.