+++ This bug was initially created as a clone of Bug #1323201 +++

Description of problem:

After restoring backup of 3.6 engine from EL6 on cleanly installed EL7 with 3.6 engine rpms, engine-setup fails with error:

Failed to execute stage 'Setup validation': Firewall manager iptables is not available

(This issue appears only on restore and subsequent engine-setup on clean EL7, as I did not have this issue while doing in-place migration via redhat-upgrade-tool.)

/sbin/iptables is of course available.

Version-Release number of selected component (if applicable):
ovirt-engine-setup-base-3.6.4.1-1.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. install 3.6 engine on EL6
2. engine-backup to backup everything
3. yum install ovirt-engine
4. engine-backup to restore everything
5. engine-setup

Actual results:
Failed to execute stage 'Setup validation': Firewall manager iptables is not available

Expected results:
should work

Additional info:
modifying 'OVESETUP_CONFIG/firewallManager' to 'none:None' and accepting 'firewalld' as value for this question in next engine-setup run, makes the setup procedure pass this step.

--- Additional comment from Yedidyah Bar David on 2016-04-07 10:55:36 EDT ---

Workaround:

Before engine-setup:

yum install iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables

Or (that's not officially supported currently, see also bug 1097857 comment 1 and the very long discussion on the patch for it https://gerrit.ovirt.org/20737):

engine-setup --offline --otopi-environment='OVESETUP_CONFIG/firewallManager=str:firewalld'

For a solution, perhaps one of:
1. Require iptables-services (not sure we want that, but it's easiest)
2. Do nothing, only document that for migration.
3. Do something in 'engine-backup --mode=restore' - either just a note, or also install the package (I don't like this one)

Sandro - what do you think?

--- Additional comment from Yedidyah Bar David on 2016-04-11 02:29:14 EDT ---

Thinking about this again, perhaps:

If selected firewall manager is 'iptables', add 'iptables-services' to PACKAGES_UPGRADE_LIST .

This should work equally well for:
1. Normal setup with an answer file choosing iptables
2. Restore from a backup which had iptables

Also need to check and fix as needed what happens if firewalld was already enabled/started - IIRC I noticed that it's now different from what it was when we developed this functionality (around fedora 18 or so), where starting one of iptables/firewalld stopped the other.

--- Additional comment from Yedidyah Bar David on 2016-04-12 09:54:18 EDT ---

Eventually decided to not install iptables-services, just notify the user if iptables service is missing.

--- Additional comment from Jiri Belka on 2016-04-25 12:32:15 EDT ---

Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does fail.

--- Additional comment from Yedidyah Bar David on 2016-05-01 02:44:34 EDT ---

(In reply to Jiri Belka from comment #5)
> Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does
> fail.

It's a simple cherry-pick, no objection from my side. Not sure it's that important though - it affects upstream for a long time now, as we shipped there an engine for both el6 and el7 already in 3.5. I never heard a request for such a migration, and expect almost all people will migrate only when required (in 4.0), and the few that did care, handled this manually somehow (by installing iptables-service, saying 'no' to 'configure firewall?', whatever).