Bug 1304445 - hosted-engine --deploy host installation fails when using firewalld
hosted-engine --deploy host installation fails when using firewalld
Status: CLOSED DUPLICATE of bug 995362
Product: ovirt-hosted-engine-setup
Classification: oVirt
Component: Network (Show other bugs)
1.3.2.3
x86_64 Linux
unspecified Severity urgent (vote)
: ---
: ---
Assigned To: Fabian Deutsch
Pavel Stehlik
: Reopened
Depends On:
Blocks: 1277010
  Show dependency treegraph
 
Reported: 2016-02-03 11:06 EST by Charlie Inglese
Modified: 2017-05-11 05:25 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1304514 (view as bug list)
Environment:
Last Closed: 2016-02-03 14:07:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: planning_ack?
rule-engine: devel_ack?
rule-engine: testing_ack?


Attachments (Terms of Use)
/var/log/vdsm/mom.log (21.40 KB, text/plain)
2016-02-03 11:06 EST, Charlie Inglese
no flags Details
/var/log/vdsm/vdsm.log (11.54 MB, text/plain)
2016-02-03 11:08 EST, Charlie Inglese
no flags Details
ovirt-hosted-engine-setup log (602.50 KB, text/plain)
2016-02-03 11:09 EST, Charlie Inglese
no flags Details
firewall-cmd --list-all (277 bytes, text/plain)
2016-02-03 11:12 EST, Charlie Inglese
no flags Details
iptables -nvL (8.75 KB, text/plain)
2016-02-03 11:12 EST, Charlie Inglese
no flags Details

  None (edit)
Description Charlie Inglese 2016-02-03 11:06:32 EST
Created attachment 1120839 [details]
/var/log/vdsm/mom.log

Description of problem:
During initial installation of oVirt Hosted Engine using the appliance and answer file, if firewalld is selected as the OVEHOSTED_NETWORK/firewallManager (e.g. OVEHOSTED_NETWORK/firewallManager=str:firewalld), addition of the initial oVirt host fails.

Version-Release number of selected component (if applicable):
glusterfs-3.7.6-1.el7.x86_64
glusterfs-api-3.7.6-1.el7.x86_64
glusterfs-cli-3.7.6-1.el7.x86_64
glusterfs-client-xlators-3.7.6-1.el7.x86_64
glusterfs-fuse-3.7.6-1.el7.x86_64
glusterfs-geo-replication-3.7.6-1.el7.x86_64
glusterfs-libs-3.7.6-1.el7.x86_64
glusterfs-server-3.7.6-1.el7.x86_64
libgovirt-0.3.3-1.el7.x86_64
ovirt-engine-appliance-3.6-20160126.1.el7.centos.noarch
ovirt-engine-sdk-python-3.6.2.1-1.el7.centos.noarch
ovirt-host-deploy-1.4.1-1.el7.centos.noarch
ovirt-hosted-engine-ha-1.3.3.7-1.el7.centos.noarch
ovirt-hosted-engine-setup-1.3.2.3-1.el7.centos.noarch
ovirt-setup-lib-1.0.1-1.el7.centos.noarch
ovirt-vmconsole-1.0.0-1.el7.centos.noarch
ovirt-vmconsole-host-1.0.0-1.el7.centos.noarch
vdsm-4.17.18-0.el7.centos.noarch
vdsm-cli-4.17.18-0.el7.centos.noarch
vdsm-gluster-4.17.18-0.el7.centos.noarch
vdsm-hook-vmfex-dev-4.17.18-0.el7.centos.noarch
vdsm-infra-4.17.18-0.el7.centos.noarch
vdsm-jsonrpc-4.17.18-0.el7.centos.noarch
vdsm-python-4.17.18-0.el7.centos.noarch
vdsm-xmlrpc-4.17.18-0.el7.centos.noarch
vdsm-yajsonrpc-4.17.18-0.el7.centos.noarch


How reproducible:
Everytime

Steps to Reproduce:
1. Install oVirt appliance
2. Using answer file, install oVirt on initial node (e.g. hosted-engine --deploy --config-append=<answerfile>)
3. Within answerfile ensure OVEHOSTED_NETWORK/firewallManager=str:firewalld

Actual results:
1. Host OvirtHost2 installation failed. Host not reachable.

Expected results:
1. oVirt host is added to pool successfully.

Additional info:
SELinux permissive mode
Comment 1 Charlie Inglese 2016-02-03 11:08 EST
Created attachment 1120840 [details]
/var/log/vdsm/vdsm.log
Comment 2 Charlie Inglese 2016-02-03 11:09 EST
Created attachment 1120842 [details]
ovirt-hosted-engine-setup log
Comment 3 Charlie Inglese 2016-02-03 11:12 EST
Created attachment 1120843 [details]
firewall-cmd --list-all
Comment 4 Charlie Inglese 2016-02-03 11:12 EST
Created attachment 1120844 [details]
iptables -nvL
Comment 5 Simone Tiraboschi 2016-02-03 11:54:50 EST
FirewallD is currently not supported on hosts.
Simply use OVEHOSTED_NETWORK/firewallManager=str:iptables
Comment 6 Ramesh N 2016-02-03 12:09:28 EST
(In reply to Simone Tiraboschi from comment #5)
> FirewallD is currently not supported on hosts.
> Simply use OVEHOSTED_NETWORK/firewallManager=str:iptables

Do u mean its not supported on the vdsm hosts or hosted_engine VM? If that's the case then why are we having this option in the hosted-engine script?
Comment 7 Charlie Inglese 2016-02-03 13:23:01 EST
(In reply to Ramesh N from comment #6)
> (In reply to Simone Tiraboschi from comment #5)
> > FirewallD is currently not supported on hosts.
> > Simply use OVEHOSTED_NETWORK/firewallManager=str:iptables
> 
> Do u mean its not supported on the vdsm hosts or hosted_engine VM? If that's
> the case then why are we having this option in the hosted-engine script?

I concur as well. firewalld is listed as an oVirt installation option and is the default RHEL 7 firewall application (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html). Additionally, the oVirt quick start guide references firewalld as its example (http://www.ovirt.org/Quick_Start_Guide). 

I am reopening this bug, as firewalld is a supported option and should either be fully supported or removed as a valid configuration option.
Comment 8 Simone Tiraboschi 2016-02-03 14:07:18 EST
(In reply to Charlie Inglese from comment #7)
> I am reopening this bug, as firewalld is a supported option and should
> either be fully supported or removed as a valid configuration option.

OVEHOSTED_NETWORK/firewallManager=str:firewalld is not a valid configuration option: hosted-engine-setup is currently not going to propose you to use firewalld if used interactively, you are just tweaking the answerfile.
You can also write OVEHOSTED_NETWORK/firewallManager=str:IPFILTER, or whatever you prefer, in that answerfile but as you can image this is not enough to have it working.

*** This bug has been marked as a duplicate of bug 995362 ***

Note You need to log in before you can comment on or make changes to this bug.