Bug 1332088 - [3.6.6 clone][migration 3.6 el6 - 3.6 el7] Failed to execute stage 'Setup validation': Firewall manager iptables is not available
Summary: [3.6.6 clone][migration 3.6 el6 - 3.6 el7] Failed to execute stage 'Setup val...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.EngineCommon
Version: 3.6.5
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ovirt-3.6.6
: 3.6.6.1
Assignee: Yedidyah Bar David
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On: 1323201
Blocks: 1318580 1332463
TreeView+ depends on / blocked
 
Reported: 2016-05-02 08:05 UTC by Sandro Bonazzola
Modified: 2017-05-11 09:25 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When running engine-setup, as part of migration from el6 to el7, if the backed up engine was configured to automatically configure iptables, and the package 'iptables-services' was not installed on the target el7 machine, and the user accepted the choice to automatically configure the firewall, engine-setup failed. Consequence: It was not possible to finish the migration process without some manual action. Fix: engine-setup was changed to not fail in this case. Instead: 1. If the package iptables-services is installed prior to running engine-setup, it will work as expected. 2. If iptables-services is not installed, a warning will be issued. 3. If only firewalld is installed and active (up), it will be selected automatically. 4. If firewalld is installed but not active, the user will be prompted to choose it. The user will be prompted, and have to type in an answer, even if firewalld is the only option, to help prevent breaking non-standard/manual/etc iptables/firewall setups. All of the above applies, as before, only if the user accepts to automatically configure the firewall. Result: engine-setup, and the migration process, finish successfully, with a firewall manager configured, if possible and selected.
Clone Of: 1323201
Environment:
Last Closed: 2016-05-30 10:52:24 UTC
oVirt Team: Integration
Embargoed:
rule-engine: ovirt-3.6.z+
ylavi: planning_ack+
sbonazzo: devel_ack+
pnovotny: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 56020 0 None None None 2016-05-02 08:05:34 UTC
oVirt gerrit 56021 0 None None None 2016-05-02 08:05:34 UTC
oVirt gerrit 56963 0 ovirt-engine-3.6 MERGED packaging: setup: Reset firewall manager if not available 2016-05-03 12:20:51 UTC
oVirt gerrit 56968 0 ovirt-engine-3.6.6 MERGED packaging: setup: Reset firewall manager if not available 2016-05-03 14:00:07 UTC

Description Sandro Bonazzola 2016-05-02 08:05:35 UTC
+++ This bug was initially created as a clone of Bug #1323201 +++

Description of problem:

After restoring backup of 3.6 engine from EL6 on cleanly installed EL7 with 3.6 engine rpms, engine-setup fails with error:

Failed to execute stage 'Setup validation': Firewall manager iptables is not available

(This issue appears only on restore and subsequent engine-setup on clean EL7, as I did not have this issue while doing in-place migration via redhat-upgrade-tool.)

/sbin/iptables is of course available.

Version-Release number of selected component (if applicable):
ovirt-engine-setup-base-3.6.4.1-1.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. install 3.6 engine on EL6
2. engine-backup to backup everything
3. yum install ovirt-engine
4. engine-backup to restore everything
5. engine-setup

Actual results:
Failed to execute stage 'Setup validation': Firewall manager iptables is not available

Expected results:
should work

Additional info:
modifying 'OVESETUP_CONFIG/firewallManager' to 'none:None' and accepting 'firewalld' as value for this question in next engine-setup run, makes the setup procedure pass this step.

--- Additional comment from Yedidyah Bar David on 2016-04-07 10:55:36 EDT ---

Workaround:

Before engine-setup:

yum install iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables

Or (that's not officially supported currently, see also bug 1097857 comment 1 and the very long discussion on the patch for it https://gerrit.ovirt.org/20737):

engine-setup --offline --otopi-environment='OVESETUP_CONFIG/firewallManager=str:firewalld'

For a solution, perhaps one of:
1. Require iptables-services (not sure we want that, but it's easiest)
2. Do nothing, only document that for migration.
3. Do something in 'engine-backup --mode=restore' - either just a note, or also install the package (I don't like this one)

Sandro - what do you think?

--- Additional comment from Yedidyah Bar David on 2016-04-11 02:29:14 EDT ---

Thinking about this again, perhaps:

If selected firewall manager is 'iptables', add 'iptables-services' to PACKAGES_UPGRADE_LIST .

This should work equally well for:
1. Normal setup with an answer file choosing iptables
2. Restore from a backup which had iptables

Also need to check and fix as needed what happens if firewalld was already enabled/started - IIRC I noticed that it's now different from what it was when we developed this functionality (around fedora 18 or so), where starting one of iptables/firewalld stopped the other.

--- Additional comment from Yedidyah Bar David on 2016-04-12 09:54:18 EDT ---

Eventually decided to not install iptables-services, just notify the user if iptables service is missing.

--- Additional comment from Jiri Belka on 2016-04-25 12:32:15 EDT ---

Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does fail.

--- Additional comment from Yedidyah Bar David on 2016-05-01 02:44:34 EDT ---

(In reply to Jiri Belka from comment #5)
> Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does
> fail.

It's a simple cherry-pick, no objection from my side. Not sure it's that important though - it affects upstream for a long time now, as we shipped there an engine for both el6 and el7 already in 3.5. I never heard a request for such a migration, and expect almost all people will migrate only when required (in 4.0), and the few that did care, handled this manually somehow (by installing iptables-service, saying 'no' to 'configure firewall?', whatever).

Comment 1 Yedidyah Bar David 2016-05-03 14:29:02 UTC
Copied doc text from 4.0 bug 1323201 (only dropped the 3.6->4.0 part).

Comment 2 Jiri Belka 2016-05-09 17:07:02 UTC
ok, no error about firewalld after running engine-setup with restored files from 3.6 EL6.

ovirt-engine-setup-base-3.6.6.2-1.el7.centos.noarch


Note You need to log in before you can comment on or make changes to this bug.