Created attachment 1120839 [details] /var/log/vdsm/mom.log Description of problem: During initial installation of oVirt Hosted Engine using the appliance and answer file, if firewalld is selected as the OVEHOSTED_NETWORK/firewallManager (e.g. OVEHOSTED_NETWORK/firewallManager=str:firewalld), addition of the initial oVirt host fails. Version-Release number of selected component (if applicable): glusterfs-3.7.6-1.el7.x86_64 glusterfs-api-3.7.6-1.el7.x86_64 glusterfs-cli-3.7.6-1.el7.x86_64 glusterfs-client-xlators-3.7.6-1.el7.x86_64 glusterfs-fuse-3.7.6-1.el7.x86_64 glusterfs-geo-replication-3.7.6-1.el7.x86_64 glusterfs-libs-3.7.6-1.el7.x86_64 glusterfs-server-3.7.6-1.el7.x86_64 libgovirt-0.3.3-1.el7.x86_64 ovirt-engine-appliance-3.6-20160126.1.el7.centos.noarch ovirt-engine-sdk-python-3.6.2.1-1.el7.centos.noarch ovirt-host-deploy-1.4.1-1.el7.centos.noarch ovirt-hosted-engine-ha-1.3.3.7-1.el7.centos.noarch ovirt-hosted-engine-setup-1.3.2.3-1.el7.centos.noarch ovirt-setup-lib-1.0.1-1.el7.centos.noarch ovirt-vmconsole-1.0.0-1.el7.centos.noarch ovirt-vmconsole-host-1.0.0-1.el7.centos.noarch vdsm-4.17.18-0.el7.centos.noarch vdsm-cli-4.17.18-0.el7.centos.noarch vdsm-gluster-4.17.18-0.el7.centos.noarch vdsm-hook-vmfex-dev-4.17.18-0.el7.centos.noarch vdsm-infra-4.17.18-0.el7.centos.noarch vdsm-jsonrpc-4.17.18-0.el7.centos.noarch vdsm-python-4.17.18-0.el7.centos.noarch vdsm-xmlrpc-4.17.18-0.el7.centos.noarch vdsm-yajsonrpc-4.17.18-0.el7.centos.noarch How reproducible: Everytime Steps to Reproduce: 1. Install oVirt appliance 2. Using answer file, install oVirt on initial node (e.g. hosted-engine --deploy --config-append=<answerfile>) 3. Within answerfile ensure OVEHOSTED_NETWORK/firewallManager=str:firewalld Actual results: 1. Host OvirtHost2 installation failed. Host not reachable. Expected results: 1. oVirt host is added to pool successfully. Additional info: SELinux permissive mode
Created attachment 1120840 [details] /var/log/vdsm/vdsm.log
Created attachment 1120842 [details] ovirt-hosted-engine-setup log
Created attachment 1120843 [details] firewall-cmd --list-all
Created attachment 1120844 [details] iptables -nvL
FirewallD is currently not supported on hosts. Simply use OVEHOSTED_NETWORK/firewallManager=str:iptables
(In reply to Simone Tiraboschi from comment #5) > FirewallD is currently not supported on hosts. > Simply use OVEHOSTED_NETWORK/firewallManager=str:iptables Do u mean its not supported on the vdsm hosts or hosted_engine VM? If that's the case then why are we having this option in the hosted-engine script?
(In reply to Ramesh N from comment #6) > (In reply to Simone Tiraboschi from comment #5) > > FirewallD is currently not supported on hosts. > > Simply use OVEHOSTED_NETWORK/firewallManager=str:iptables > > Do u mean its not supported on the vdsm hosts or hosted_engine VM? If that's > the case then why are we having this option in the hosted-engine script? I concur as well. firewalld is listed as an oVirt installation option and is the default RHEL 7 firewall application (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html). Additionally, the oVirt quick start guide references firewalld as its example (http://www.ovirt.org/Quick_Start_Guide). I am reopening this bug, as firewalld is a supported option and should either be fully supported or removed as a valid configuration option.
(In reply to Charlie Inglese from comment #7) > I am reopening this bug, as firewalld is a supported option and should > either be fully supported or removed as a valid configuration option. OVEHOSTED_NETWORK/firewallManager=str:firewalld is not a valid configuration option: hosted-engine-setup is currently not going to propose you to use firewalld if used interactively, you are just tweaking the answerfile. You can also write OVEHOSTED_NETWORK/firewallManager=str:IPFILTER, or whatever you prefer, in that answerfile but as you can image this is not enough to have it working. *** This bug has been marked as a duplicate of bug 995362 ***