Bug 1414524 - IPv6 migration fails due to missing ip6tables rules.
Summary: IPv6 migration fails due to missing ip6tables rules.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-host-deploy
Classification: oVirt
Component: General
Version: master
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.2.0
: 1.7.0
Assignee: Leon Goldberg
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks: 1402407
TreeView+ depends on / blocked
 
Reported: 2017-01-18 18:15 UTC by Leon Goldberg
Modified: 2017-12-20 10:45 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-20 10:45:42 UTC
oVirt Team: Network
rule-engine: ovirt-4.2+
jbelka: testing_plan_complete?


Attachments (Terms of Use)
vdsm log snippet (1.76 KB, text/plain)
2017-01-18 18:15 UTC, Leon Goldberg
no flags Details

Description Leon Goldberg 2017-01-18 18:15:24 UTC
Created attachment 1242251 [details]
vdsm log snippet

Description of problem:

During deployment iptable rules are being applied to enable incoming access to libvirt's migration ports. As these rules only apply to ipv4 iptables, ipv6 ports remain closed, resulting in inaccessibility.

How reproducible:
100%

Steps to Reproduce:
1) Create a VM network
2) Set a migration role to the network
3) Attach it to 2 hosts configured for static ipv6 addresses (ipv4 protocol set to none)
4) Migrate a VM from one of the hosts to the other one

Actual results:
Migration fails due to socket permission denied on the target host.

Expected results:
Migration succeeds.

Comment 1 Sandro Bonazzola 2017-01-19 15:10:10 UTC
Leon, the ovirt-host-deploy tool set iptables rules provided by the engine.
Are the iptables6 rules sent by the engine to ovirt-host-deploy?

Comment 2 Leon Goldberg 2017-01-22 10:02:13 UTC
They are not, but iiuc it wouldn't matter as we don't have the infrastructure to set ip6table rules.

Comment 3 Leon Goldberg 2017-01-22 10:28:37 UTC
Allow me to elaborate: 

IIUC, currently, engine provides ipv4 rules that are written via OHD to a file that iptables is set to used.

There are 2 problems with this in regards to ipv6; as you wrote, engine doesn't provide ipv6 rules; and more importantly, we don't have the infrastructure to write to a different file dedicated to ipv6, and to set ip6tables to use it -- iptables and ip6tables aren't meant to share the same rule set as they're not compatible with one another.

Naively, I think we should add similar infrastructure to ipv6, writing to a separate file and setting ip6tables to use that file (and similarly provide the required ipv6 rules via engine)

Comment 4 Ondřej Svoboda 2017-03-14 14:11:21 UTC
I have been seeing a different outcome of ovirt-host-deploy.

Once firewalld is disabled and replaced by iptables-services, 'ip6tables -L' shows that the rules are lost, leaving ports wide open:

[root@lago-basic-suite-master-host0 ~]# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This allows IPv6 migration to work, but for a great cost of having a useless IPv6 firewall. You can use the same steps to reproduce, re-enabled in OST by https://gerrit.ovirt.org/#/c/74052/

Comment 8 Jiri Belka 2017-10-31 12:39:56 UTC
ok, migration over ipv6 only migration network works ok

vdsm-4.20.3-178.gitee07ec4.el7.centos.x86_64
ovirt-host-deploy-1.7.0-0.0.master.20170912090102.git1eeb5a2.el7.centos.noarch
ovirt-engine-4.2.0-0.0.master.20171029154613.git19686f3.el7.centos.noarch

with 'firewalld' fw type on cluster:

* ok

# firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ovirtmgmt eth1
  sources: 
  services: dhcpv6-client ssh rpc-bind snmp cockpit libvirt-tls ovirt-vmconsole vdsm nfs ctdb ovirt-storageconsole nrpe samba
  ports: 22/tcp 54322/tcp 6081/udp 963/udp 965/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


with 'iptables' fw type on cluster:

* ok

# ip6tables -nL 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Comment 9 Sandro Bonazzola 2017-12-20 10:45:42 UTC
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.