Bug 1281417 - vdsm host can not be added with firewalld enabled
vdsm host can not be added with firewalld enabled
Status: CLOSED NOTABUG
Product: vdsm
Classification: oVirt
Component: Core (Show other bugs)
4.17.10
Unspecified Unspecified
unspecified Severity unspecified (vote)
: ---
: ---
Assigned To: Dan Kenigsberg
Aharon Canan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-12 08:42 EST by Fabian Deutsch
Modified: 2015-11-13 10:16 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-13 10:16:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?


Attachments (Terms of Use)
Log from the failed attempt (290.15 KB, text/plain)
2015-11-13 09:44 EST, Fabian Deutsch
no flags Details
firewalld and iptables tatus before/during host addition (3.02 KB, text/plain)
2015-11-13 10:00 EST, Fabian Deutsch
no flags Details
Log from another failed attempt (288.96 KB, text/plain)
2015-11-13 10:02 EST, Fabian Deutsch
no flags Details

  None (edit)
Description Fabian Deutsch 2015-11-12 08:42:00 EST
Description of problem:
I can not add a freshly instaleld centos7 host with an (by default) enabelde firewalld.

Version-Release number of selected component (if applicable):
vdsm-4.17.10.1-0.el7.centos.noarch
centos-release-7-1.1503.el7.centos.2.8.x86_64

How reproducible:
Always 

Steps to Reproduce:
1. Install host with centos 7
2. Install vdsm on host and ovirt-host-deploy-offline
3. Add host to engine from Engine side

Actual results:
Host does not come up

Expected results:
Host comes up

Additional info:
vdsm is starting on the host, but the firewall prevents commnuication
Stopping firewalld solves the issue
Comment 1 Fabian Deutsch 2015-11-12 08:54:24 EST
Alon, so should this bug rather be on host-deploy?
Comment 2 Alon Bar-Lev 2015-11-12 09:06:44 EST
I do not understand, why you install anything on host whole host-deploy is doing this for you.
Comment 3 Fabian Deutsch 2015-11-12 09:16:19 EST
I'm using host-deploy-offline, and in that case I need to have vdsm pre-installed - as you know.
Comment 4 Alon Bar-Lev 2015-11-12 09:44:24 EST
(In reply to Fabian Deutsch from comment #3)
> I'm using host-deploy-offline, and in that case I need to have vdsm
> pre-installed - as you know.

if this is a node and you configure the host-deploy not to enforce firewall, you should take care of firewall your-self.
Comment 5 Fabian Deutsch 2015-11-12 09:50:17 EST
This actually comes u pin next-ge Node work.

Because host-deploy is taking care of it, host-deploy-offline should take care of it in the offline case.
Comment 6 Fabian Deutsch 2015-11-12 09:51:10 EST
Would it be possible to run all of host-deploy's plugins at install time in the offline case?
Comment 7 Alon Bar-Lev 2015-11-12 09:54:31 EST
(In reply to Fabian Deutsch from comment #6)
> Would it be possible to run all of host-deploy's plugins at install time in
> the offline case?

so this is something new, stop open bugs and start open rfes, or perform proper design process.

legacy node had set its firewall settings correctly out of the box, engine hardcoded disabled firewall enforcement if target is node.

you can either keep this behaviour, identify as standard host or define a new type of host and modify engine and host-deploy behaviour to handle this new type of host.
Comment 8 Fabian Deutsch 2015-11-12 09:59:14 EST
(In reply to Alon Bar-Lev from comment #7)
> (In reply to Fabian Deutsch from comment #6)
> > Would it be possible to run all of host-deploy's plugins at install time in
> > the offline case?
> 
> so this is something new, stop open bugs and start open rfes, or perform
> proper design process.
> 
> legacy node had set its firewall settings correctly out of the box,

Which has always been a problem.

> engine
> hardcoded disabled firewall enforcement if target is node.

Can you point me to that code? I can not find any host and firewalld specific code in host-deploy

> you can either keep this behaviour, identify as standard host or define a
> new type of host and modify engine and host-deploy behaviour to handle this
> new type of host.

That is what I am aiming at.
Comment 9 Alon Bar-Lev 2015-11-12 10:03:42 EST
(In reply to Fabian Deutsch from comment #8)
> (In reply to Alon Bar-Lev from comment #7)
> > (In reply to Fabian Deutsch from comment #6)
> > > Would it be possible to run all of host-deploy's plugins at install time in
> > > the offline case?
> > 
> > so this is something new, stop open bugs and start open rfes, or perform
> > proper design process.
> > 
> > legacy node had set its firewall settings correctly out of the box,
> 
> Which has always been a problem.

I am unsure why, if you have a pre-defined environment there should be no change in firewall settings as well.

> 
> > engine
> > hardcoded disabled firewall enforcement if target is node.
> 
> Can you point me to that code? I can not find any host and firewalld
> specific code in host-deploy

InstallVdsInternalCommand

            if (parameters.getOverrideFirewall()) {
                switch (getVds().getVdsType()) {
                    case VDS:
                        deploy.addUnit(new VdsDeployIptablesUnit());
                    break;
                    case oVirtNode:
                        log.warn(
                            "Installation of Host {} will ignore Firewall Override option, since it is not supported for Host type {}",
                            getVds().getName(),
                            getVds().getVdsType().name()
                        );
                    break;

> > you can either keep this behaviour, identify as standard host or define a
> > new type of host and modify engine and host-deploy behaviour to handle this
> > new type of host.
> 
> That is what I am aiming at.

"That" has three options.
Comment 10 Fabian Deutsch 2015-11-13 09:44 EST
Created attachment 1093690 [details]
Log from the failed attempt

Some summary: When I first add the host, then firewalld does not get disabled (see the lgos). On the second try however, firewalld is getting disabled and everything is well.
Comment 11 Fabian Deutsch 2015-11-13 09:44:54 EST
Let me note: This is all happening on a plain and fresh centos7 host (I even dropped ovirt-host-deploy-offline)
Comment 12 Alon Bar-Lev 2015-11-13 09:47:03 EST
(In reply to Fabian Deutsch from comment #10)
> Created attachment 1093690 [details]
> Log from the failed attempt
> 
> Some summary: When I first add the host, then firewalld does not get
> disabled (see the lgos). On the second try however, firewalld is getting
> disabled and everything is well.

2015-11-13 14:36:18 DEBUG otopi.context context.dumpEnvironment:510 ENV NETWORK/iptablesEnable=bool:'False'
2015-11-13 14:36:18 DEBUG otopi.context context.dumpEnvironment:510 ENV NETWORK/iptablesRules=NoneType:'None'

iptables/firewall was not enabled, ovirt-host-deploy did not touch any setting.
Comment 13 Fabian Deutsch 2015-11-13 09:51:20 EST
Hm. I actually saw that firewalld.service was running on that host. Let me try to gather more logs.
Comment 14 Alon Bar-Lev 2015-11-13 09:58:49 EST
(In reply to Fabian Deutsch from comment #13)
> Hm. I actually saw that firewalld.service was running on that host. Let me
> try to gather more logs.

enforcing firewall setting is done at engine side while adding host.
Comment 15 Fabian Deutsch 2015-11-13 10:00 EST
Created attachment 1093692 [details]
firewalld and iptables tatus before/during host addition

This attachement shows that firewalld was running and an iptables service is not there.
Comment 16 Fabian Deutsch 2015-11-13 10:02 EST
Created attachment 1093694 [details]
Log from another failed attempt

From this attachment:

2015-11-13 14:53:42 DEBUG otopi.context context.dumpEnvironment:500 ENVIRONMENT DUMP - BEGIN
2015-11-13 14:53:42 DEBUG otopi.context context.dumpEnvironment:510 ENV NETWORK/firewalldAvailable=bool:'False'
2015-11-13 14:53:42 DEBUG otopi.context context.dumpEnvironment:510 ENV NETWORK/firewalldDisableServices=list:'[]'
2015-11-13 14:53:42 DEBUG otopi.context context.dumpEnvironment:510 ENV NETWORK/firewalldEnable=bool:'False'
2015-11-13 14:53:42 DEBUG otopi.context context.dumpEnvironment:514 ENVIRONMENT DUMP - END

from the host side logs I see:

[root@test_tier_1_integrationsanity-node-ci ~]# service firewalld status
Redirecting to /bin/systemctl status  firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Fr 2015-11-13 14:52:51 UTC; 2min 59s ago
 Main PID: 508 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─508 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Nov 13 14:52:51 test_tier_1_integrationsanity-node-ci.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 13 14:52:51 test_tier_1_integrationsanity-node-ci.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.


Which essentially shows that firewalld was started before the host was added but in the engine logs firewalld appears as not running IIUIC.
Comment 17 Fabian Deutsch 2015-11-13 10:16:48 EST
After discussion on IRC: I am using "ovirt-shell add host" to add a host.
This command does _not_ include the firewall configuration - and that is why firewalld is not disabled in that flow.

Note You need to log in before you can comment on or make changes to this bug.