Bug 1390938
| Summary: | firewalld should be easily configurable for OVN hosts and OVN central server | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Mor <mkalfon> | |
| Component: | openvswitch | Assignee: | Lance Richardson <lrichard> | |
| Status: | CLOSED ERRATA | QA Contact: | qding | |
| Severity: | medium | Docs Contact: | Ioanna Gkioka <igkioka> | |
| Priority: | high | |||
| Version: | 7.0 | CC: | aloughla, atragler, bugs, danken, fleitner, kzhang, lrichard, mjahoda, mkalfon, mmirecki, nusiddiq, ovs-qe, qding, rhartman, ylavi | |
| Target Milestone: | pre-dev-freeze | Keywords: | ZStream | |
| Target Release: | 7.4 | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | openvswitch-2.6.1-7.git20161206.el7fdb | Doc Type: | Enhancement | |
| Doc Text: |
Installation of OVN now supports easily-configurable *firewalld* rules
This feature adds *firewalld* configuration rules for Open Virtual Network (OVN) to the openvswitch packages. As a result, the user can install easier OVN with *firewalld* enabled, instead of needing to create *firewalld* configuration manually.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1416748 1427110 (view as bug list) | Environment: | ||
| Last Closed: | 2017-07-12 15:36:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | Network | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1366899, 1411730, 1416748, 1427110 | |||
|
Description
Mor
2016-11-02 09:51:47 UTC
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release. We'd be pleased to have a firewalld "service" exposing the needed ports on central and controllers. As an example, for the ovirt provider for ovn we give the user the following file: /etc/firewalld/services/ovirt-provider-ovn.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn</short> <description>oVirt provider ovn</description> <port protocol="tcp" port="9696"/> </service> To add it to firewalld it's enought to run: firewall-cmd --zone=<zone to add service to> --add-service=ovirt-provider-ovn --permanent In our test environment, we added a rule to allow UDP destination port 6081 (for geneve tunnel) in the INPUT table and it worked. Just to add, if we want to turn on firewalld on the controllers and central (engine in our case), we also need to configure oVirt services ports (e.g.: http://www.ovirt.org/documentation/how-to/faq/ -> "Which network ports should be enabled when setting up oVirt environment?"). For Vdsm, there's a RFE: https://bugzilla.redhat.com/show_bug.cgi?id=995362 without target milestone or target release. (In reply to Mor from comment #6) > Just to add, if we want to turn on firewalld on the controllers and central > (engine in our case), we also need to configure oVirt services ports (e.g.: > http://www.ovirt.org/documentation/how-to/faq/ -> "Which network ports > should be enabled when setting up oVirt environment?"). For Vdsm, there's a > RFE: https://bugzilla.redhat.com/show_bug.cgi?id=995362 without target > milestone or target release. and I think it makes sense to ship some firewalld config files with OVN. We just wanted to update results of our testing to confirm the firewall rule needed to allow geneve tunnels. Hello everyone, I made some progress with this issue yesterday, and I managed to get it working with the following firewalld service configuration files: On OVN central server: ---------------------- <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn</short> <description>oVirt provider ovn</description> <port protocol="tcp" port="9696"/> <port protocol="tcp" port="6641"/> <port protocol="tcp" port="6442"/> </service> On OVN host server: ------------------- <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn-driver</short> <description>oVirt provider OVN driver</description> <port protocol="udp" port="6081"/> </service> Just to make sure, I still want to test it on a clean environment. (In reply to Mor from comment #8) > Hello everyone, > > I made some progress with this issue yesterday, and I managed to get it > working with the following firewalld service configuration files: > > On OVN central server: > ---------------------- > > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>ovirt-provider-ovn</short> > <description>oVirt provider ovn</description> > <port protocol="tcp" port="9696"/> > <port protocol="tcp" port="6641"/> > <port protocol="tcp" port="6442"/> > </service> > > On OVN host server: > ------------------- > > <?xml version="1.0" encoding="utf-8"?> > <service> > <short>ovirt-provider-ovn-driver</short> > <description>oVirt provider OVN driver</description> > <port protocol="udp" port="6081"/> > </service> > > Just to make sure, I still want to test it on a clean environment. Just adding, TCP port 9696 is used by our OVN provider service (which uses OVN). Note that 9696 is an ovirt related port. This should be enough: Central: <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn</short> <description>oVirt provider ovn</description> <port protocol="tcp" port="6641"/> <port protocol="tcp" port="6442"/> </service> Host: <?xml version="1.0" encoding="utf-8"?> <service> <short>ovirt-provider-ovn-driver</short> <description>oVirt provider OVN driver</description> <port protocol="udp" port="6081"/> </service> Brew build for fd beta package: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12525976 Hi Mor, I know nothing about oVirt. Can you please help verify this BZ? Thanks QJ (In reply to qding from comment #15) > Hi Mor, > > I know nothing about oVirt. Can you please help verify this BZ? > > Thanks > QJ Hi QJ, Sorry for the delay in response. Do you want to verify it with oVirt and OVN setup? or just with OVN? (In reply to qding from comment #15) > Hi Mor, > > I know nothing about oVirt. Can you please help verify this BZ? > > Thanks > QJ I will verify it with my own setup of oVirt and OVN. (In reply to Mor from comment #17) > > I will verify it with my own setup of oVirt and OVN. I hope OVN only if it can be used to verify this issue. Thanks QJ Hi Mor, Sorry for that I should have given more explanation. I hope cover this feature with OVN only if you can give me some suggestions. Thank you very much for help verify this issue, then should I assign QA contact to you? Thanks QJ (In reply to qding from comment #19) > Hi Mor, > > Sorry for that I should have given more explanation. I hope cover this > feature with OVN only if you can give me some suggestions. Thank you very > much for help verify this issue, then should I assign QA contact to you? > > Thanks > QJ No problem. (In reply to qding from comment #19) > Hi Mor, > > Sorry for that I should have given more explanation. I hope cover this > feature with OVN only if you can give me some suggestions. Thank you very > much for help verify this issue, then should I assign QA contact to you? > > Thanks > QJ Hi QJ, Currently, I'm unable to verify it on RHV hypervisors when firewalld is on, because RHV hosts do not support firewalld yet. But in order to make some ticket progress, I want to try and setup OVN environment for it, and try it out with RHV engine and OVN-only hosts. I will update with my findings. Thanks. (In reply to Lance Richardson from comment #11) > Brew build for fd beta package: > > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12525976 Hi Lance, 1. Can you please clarify which RPM in the candidate build includes the addition of the host firewalld service file? 2. Is it internal build? Or it is also included in openvswitch-ovn-central-2.6.1-10.git20161206? Thanks. (In reply to Mor from comment #22) > (In reply to Lance Richardson from comment #11) > > Brew build for fd beta package: > > > > https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12525976 > > Hi Lance, > > 1. Can you please clarify which RPM in the candidate build includes the > addition of the host firewalld service file? > > 2. Is it internal build? Or it is also included in > openvswitch-ovn-central-2.6.1-10.git20161206? > > Thanks. Hi Mor, Yes, it is in 2.6.1-10.git20161206 That version can be found here: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/10.git20161206.el7fdb/ (In reply to Mor from comment #21) > > Currently, I'm unable to verify it on RHV hypervisors when firewalld is on, > because RHV hosts do not support firewalld yet. But in order to make some > ticket progress, I want to try and setup OVN environment for it, and try it > out with RHV engine and OVN-only hosts. > > I will update with my findings. > Thanks Hi, I tried to look for the service file that contains 6081 UDP port (comment #10). Do you know which package provides it on 2.6.1-10? I can't find it. (In reply to Mor from comment #25) > Hi, > > I tried to look for the service file that contains 6081 UDP port (comment > #10). Do you know which package provides it on 2.6.1-10? I can't find it. Hi Mor, It seems the needed files are indeed not being installed, a fix will be needed. Unfortunately, since this is on QE already it will likely have to wait until the next fdb/fdp release (assuming it's not a blocker). Lance Fix pushed to fd beta and fd production packages. Builds can be found here: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/11.git20161206.el7fdb/ and: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/11.git20161206.el7fdp/ The host rules to allow UDP port 6081 (GENEVE) are included in the openvswitch-ovn-host RPM: /usr/lib/firewalld/services/ovn-host-firewall-service.xml The original upstream patch, which appears to have been based on https://bugzilla.redhat.com/show_bug.cgi?id=1390938#c8 , has the wrong port number (6442) for the southbound db connection. This patch will need to be backported for the next fd drop: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329532.html (In reply to Lance Richardson from comment #32) > The original upstream patch, which appears to have been based on > https://bugzilla.redhat.com/show_bug.cgi?id=1390938#c8 , has the > wrong port number (6442) for the southbound db connection. > > This patch will need to be backported for the next fd drop: > > https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329532.html This could explain the reason for block. It was a typo. Thanks Lance. The patch referenced in https://bugzilla.redhat.com/show_bug.cgi?id=1390938#c32 has been back-ported to fast datapath beta and production packages. RPMs with this patch are available here: Fast datapath beta: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/17.git20161206.el7fdb/ Fast datpath production: http://download-node-02.eng.bos.redhat.com/brewroot/packages/openvswitch/2.6.1/14.git20161206.el7fdp/ Verified with openvswitch-2.7.0-7.git20170530.el7fdb.x86_64
[root@dell-per730-04 ovn]# uname -r
3.10.0-673.el7.x86_64
[root@dell-per730-04 ovn]# rpm -q openvswitch
openvswitch-2.7.0-7.git20170530.el7fdb.x86_64
[root@dell-per730-04 ovn]#
[root@dell-per730-04 ovn]# cat /usr/lib/firewalld/services/ovn-host-firewall-service.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ovn-host-firewall-service</short>
<description>Firewall service for ovn host</description>
<port protocol="udp" port="6081"/>
</service>
[root@dell-per730-04 ovn]# cat /usr/lib/firewalld/services/ovn-central-firewall-service.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ovn-central-firewall-service</short>
<description>Firewall service for ovn central</description>
<port protocol="tcp" port="6641"/>
<port protocol="tcp" port="6642"/>
</service>
[root@dell-per730-04 ovn]#
[root@dell-per730-04 ovn]# firewall-cmd --zone=public --remove-service=ovn-host-firewall-service
success
[root@dell-per730-04 ovn]# firewall-cmd --zone=public --remove-service=ovn-central-firewall-service
success
[root@dell-per730-04 ovn]# ovn-sbctl show
[root@dell-per730-04 ovn]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: em1
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@dell-per730-04 ovn]# ovn-sbctl show
[root@dell-per730-04 ovn]#
[root@dell-per730-04 ovn]# firewall-cmd --zone=public --add-service=ovn-host-firewall-service
success
[root@dell-per730-04 ovn]# firewall-cmd --zone=public --add-service=ovn-central-firewall-service
success
[root@dell-per730-04 ovn]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: em1
sources:
services: ssh dhcpv6-client ovn-host-firewall-service ovn-central-firewall-service
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@dell-per730-04 ovn]# ovn-sbctl show
Chassis "18b7c59a-8a0b-4338-9d28-358b45528a80"
hostname: "dell-per730-05.rhts.eng.pek2.redhat.com"
Encap geneve
ip: "192.168.1.144"
options: {csum="true"}
Submitted the patch to fix this - https://review.openstack.org/#/c/518440/ and upstream bug link - https://bugs.launchpad.net/tripleo/+bug/1730711 (In reply to Numan Siddique from comment #39) > Submitted the patch to fix this - https://review.openstack.org/#/c/518440/ > and upstream bug link - https://bugs.launchpad.net/tripleo/+bug/1730711 Oops. Sorry. Please ignore - I mean to comment on this BZ - https://bugzilla.redhat.com/show_bug.cgi?id=1510879 |