+++ This bug was initially created as a clone of Bug #1323201 +++ Description of problem: After restoring backup of 3.6 engine from EL6 on cleanly installed EL7 with 3.6 engine rpms, engine-setup fails with error: Failed to execute stage 'Setup validation': Firewall manager iptables is not available (This issue appears only on restore and subsequent engine-setup on clean EL7, as I did not have this issue while doing in-place migration via redhat-upgrade-tool.) /sbin/iptables is of course available. Version-Release number of selected component (if applicable): ovirt-engine-setup-base-3.6.4.1-1.el7.centos.noarch How reproducible: 100% Steps to Reproduce: 1. install 3.6 engine on EL6 2. engine-backup to backup everything 3. yum install ovirt-engine 4. engine-backup to restore everything 5. engine-setup Actual results: Failed to execute stage 'Setup validation': Firewall manager iptables is not available Expected results: should work Additional info: modifying 'OVESETUP_CONFIG/firewallManager' to 'none:None' and accepting 'firewalld' as value for this question in next engine-setup run, makes the setup procedure pass this step. --- Additional comment from Yedidyah Bar David on 2016-04-07 10:55:36 EDT --- Workaround: Before engine-setup: yum install iptables-services systemctl stop firewalld systemctl disable firewalld systemctl start iptables systemctl enable iptables Or (that's not officially supported currently, see also bug 1097857 comment 1 and the very long discussion on the patch for it https://gerrit.ovirt.org/20737): engine-setup --offline --otopi-environment='OVESETUP_CONFIG/firewallManager=str:firewalld' For a solution, perhaps one of: 1. Require iptables-services (not sure we want that, but it's easiest) 2. Do nothing, only document that for migration. 3. Do something in 'engine-backup --mode=restore' - either just a note, or also install the package (I don't like this one) Sandro - what do you think? --- Additional comment from Yedidyah Bar David on 2016-04-11 02:29:14 EDT --- Thinking about this again, perhaps: If selected firewall manager is 'iptables', add 'iptables-services' to PACKAGES_UPGRADE_LIST . This should work equally well for: 1. Normal setup with an answer file choosing iptables 2. Restore from a backup which had iptables Also need to check and fix as needed what happens if firewalld was already enabled/started - IIRC I noticed that it's now different from what it was when we developed this functionality (around fedora 18 or so), where starting one of iptables/firewalld stopped the other. --- Additional comment from Yedidyah Bar David on 2016-04-12 09:54:18 EDT --- Eventually decided to not install iptables-services, just notify the user if iptables service is missing. --- Additional comment from Jiri Belka on 2016-04-25 12:32:15 EDT --- Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does fail. --- Additional comment from Yedidyah Bar David on 2016-05-01 02:44:34 EDT --- (In reply to Jiri Belka from comment #5) > Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does > fail. It's a simple cherry-pick, no objection from my side. Not sure it's that important though - it affects upstream for a long time now, as we shipped there an engine for both el6 and el7 already in 3.5. I never heard a request for such a migration, and expect almost all people will migrate only when required (in 4.0), and the few that did care, handled this manually somehow (by installing iptables-service, saying 'no' to 'configure firewall?', whatever).
Copied doc text from 4.0 bug 1323201 (only dropped the 3.6->4.0 part).
ok, no error about firewalld after running engine-setup with restored files from 3.6 EL6. ovirt-engine-setup-base-3.6.6.2-1.el7.centos.noarch