Bug 1332088 - [3.6.6 clone][migration 3.6 el6 - 3.6 el7] Failed to execute stage 'Setup validation': Firewall manager iptables is not available
Summary: [3.6.6 clone][migration 3.6 el6 - 3.6 el7] Failed to execute stage 'Setup val...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.EngineCommon
Version: 3.6.5
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ovirt-3.6.6
: 3.6.6.1
Assignee: Yedidyah Bar David
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On: 1323201
Blocks: 1318580 1332463
TreeView+ depends on / blocked
 
Reported: 2016-05-02 08:05 UTC by Sandro Bonazzola
Modified: 2017-05-11 09:25 UTC (History)
6 users (show)

Fixed In Version:
Clone Of: 1323201
Environment:
Last Closed: 2016-05-30 10:52:24 UTC
oVirt Team: Integration
Embargoed:
rule-engine: ovirt-3.6.z+
ylavi: planning_ack+
sbonazzo: devel_ack+
pnovotny: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 56020 0 None None None 2016-05-02 08:05:34 UTC
oVirt gerrit 56021 0 None None None 2016-05-02 08:05:34 UTC
oVirt gerrit 56963 0 ovirt-engine-3.6 MERGED packaging: setup: Reset firewall manager if not available 2016-05-03 12:20:51 UTC
oVirt gerrit 56968 0 ovirt-engine-3.6.6 MERGED packaging: setup: Reset firewall manager if not available 2016-05-03 14:00:07 UTC

Description Sandro Bonazzola 2016-05-02 08:05:35 UTC
+++ This bug was initially created as a clone of Bug #1323201 +++

Description of problem:

After restoring backup of 3.6 engine from EL6 on cleanly installed EL7 with 3.6 engine rpms, engine-setup fails with error:

Failed to execute stage 'Setup validation': Firewall manager iptables is not available

(This issue appears only on restore and subsequent engine-setup on clean EL7, as I did not have this issue while doing in-place migration via redhat-upgrade-tool.)

/sbin/iptables is of course available.

Version-Release number of selected component (if applicable):
ovirt-engine-setup-base-3.6.4.1-1.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. install 3.6 engine on EL6
2. engine-backup to backup everything
3. yum install ovirt-engine
4. engine-backup to restore everything
5. engine-setup

Actual results:
Failed to execute stage 'Setup validation': Firewall manager iptables is not available

Expected results:
should work

Additional info:
modifying 'OVESETUP_CONFIG/firewallManager' to 'none:None' and accepting 'firewalld' as value for this question in next engine-setup run, makes the setup procedure pass this step.

--- Additional comment from Yedidyah Bar David on 2016-04-07 10:55:36 EDT ---

Workaround:

Before engine-setup:

yum install iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables
systemctl enable iptables

Or (that's not officially supported currently, see also bug 1097857 comment 1 and the very long discussion on the patch for it https://gerrit.ovirt.org/20737):

engine-setup --offline --otopi-environment='OVESETUP_CONFIG/firewallManager=str:firewalld'

For a solution, perhaps one of:
1. Require iptables-services (not sure we want that, but it's easiest)
2. Do nothing, only document that for migration.
3. Do something in 'engine-backup --mode=restore' - either just a note, or also install the package (I don't like this one)

Sandro - what do you think?

--- Additional comment from Yedidyah Bar David on 2016-04-11 02:29:14 EDT ---

Thinking about this again, perhaps:

If selected firewall manager is 'iptables', add 'iptables-services' to PACKAGES_UPGRADE_LIST .

This should work equally well for:
1. Normal setup with an answer file choosing iptables
2. Restore from a backup which had iptables

Also need to check and fix as needed what happens if firewalld was already enabled/started - IIRC I noticed that it's now different from what it was when we developed this functionality (around fedora 18 or so), where starting one of iptables/firewalld stopped the other.

--- Additional comment from Yedidyah Bar David on 2016-04-12 09:54:18 EDT ---

Eventually decided to not install iptables-services, just notify the user if iptables service is missing.

--- Additional comment from Jiri Belka on 2016-04-25 12:32:15 EDT ---

Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does fail.

--- Additional comment from Yedidyah Bar David on 2016-05-01 02:44:34 EDT ---

(In reply to Jiri Belka from comment #5)
> Can this be merge to 3.6 ? Otherwise migration from 3.6 EL6 to 3.6 EL7 does
> fail.

It's a simple cherry-pick, no objection from my side. Not sure it's that important though - it affects upstream for a long time now, as we shipped there an engine for both el6 and el7 already in 3.5. I never heard a request for such a migration, and expect almost all people will migrate only when required (in 4.0), and the few that did care, handled this manually somehow (by installing iptables-service, saying 'no' to 'configure firewall?', whatever).

Comment 1 Yedidyah Bar David 2016-05-03 14:29:02 UTC
Copied doc text from 4.0 bug 1323201 (only dropped the 3.6->4.0 part).

Comment 2 Jiri Belka 2016-05-09 17:07:02 UTC
ok, no error about firewalld after running engine-setup with restored files from 3.6 EL6.

ovirt-engine-setup-base-3.6.6.2-1.el7.centos.noarch


Note You need to log in before you can comment on or make changes to this bug.