1424782 – Supply firewalld service configuration file

Bug 1424782 - Supply firewalld service configuration file

Summary: Supply firewalld service configuration file

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-provider-ovn
Classification:	oVirt
Component:	provider
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	ovirt-4.1.3
Target Release:	---
Assignee:	Marcin Mirecki
QA Contact:	Mor
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	ovirt_firewalld_support 1446130
TreeView+	depends on / blocked

Reported:	2017-02-19 12:19 UTC by Mor
Modified:	2017-07-06 13:21 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-07-06 13:21:58 UTC
oVirt Team:	Network
Embargoed:
Flags:	rule-engine: ovirt-4.1+ ykaul: exception-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	73729	master	MERGED	Set firewalld service files persmissions to 644	2017-03-14 08:07:27 UTC
oVirt gerrit	74024	ovirt-4.1	MERGED	Set firewalld service files persmissions to 644	2017-03-21 08:55:05 UTC
oVirt gerrit	76725	master	MERGED	Fixing incorrect port number in firewalld service	2017-05-12 11:35:47 UTC
oVirt gerrit	76766	ovirt-4.1	MERGED	Fixing incorrect port number in firewalld service	2017-05-15 10:35:39 UTC

Description Mor 2017-02-19 12:19:42 UTC

Description of problem:
There's a missing backport for ovirt-provider-ovn package which includes the firewalld XML configuration file for RHV version 4.1.1.

In addition, please fix the current patch to set file permission mode: 644 (-rw-r--r--) instead of 755 (-rwxr-xr-x) on the XML file. This is what is set on other oVirt supplied XML files (ovirt-https.xml, ovirt-postgres.xml, etc.).

Version-Release number of selected component (if applicable):
Red Hat Virtualization Manager Version: 4.1.1.2-0.1.el7

Comment 1 Marcin Mirecki 2017-02-22 09:40:31 UTC

Fixed with patches:

https://gerrit.ovirt.org/#/c/71585/
https://gerrit.ovirt.org/#/c/72690/

Comment 2 Marcin Mirecki 2017-03-02 12:23:17 UTC

Fix available in:  ovirt-provider-ovn-1.0-6.el7ev

Comment 3 Mor 2017-03-06 13:31:27 UTC

-rw-r--r--. 1 root root 216 Jan 23 12:47 ovirt-fence-kdump-listener.xml
-rw-r--r--. 1 root root 185 Jan 23 12:47 ovirt-https.xml
-rw-r--r--. 1 root root 182 Jan 23 12:47 ovirt-http.xml
-rw-r--r--. 1 root root 192 Jan 23 12:47 ovirt-imageio-proxy.xml
-rw-r--r--. 1 root root 572 Jan 23 12:47 ovirt-nfs.xml
-rw-r--r--. 1 root root 192 Jan 23 12:47 ovirt-postgres.xml
-rwxr-xr-x. 1 root root 344 Feb 27 15:20 ovirt-provider-ovn-central.xml
-rwxr-xr-x. 1 root root 181 Feb 27 15:20 ovirt-provider-ovn.xml
-rw-r--r--. 1 root root 207 Jan 23 12:47 ovirt-vmconsole-proxy.xml
-rw-r--r--. 1 root root 206 Jan 23 12:47 ovirt-websocket-proxy.xml

File permissions for ovirt-provider-ovn-*.xml files are not set with mode 644.

Comment 4 Marcin Mirecki 2017-04-27 09:30:05 UTC

Included in 1.0-7 build.

https://errata.devel.redhat.com/advisory/28277

Comment 5 Mor 2017-05-01 06:18:13 UTC

Marcin, we have 6442 TCP port in ovirt-provider-ovn-central.xml. It's supposed to be port 6642. Please fix.

Comment 6 Mor 2017-06-04 05:52:01 UTC

Verified on:
ovirt-provider-ovn-1.1-2.20170531131557.git61bec06.el7.centos.noarch
ovirt-provider-ovn-driver-1.1-2.20170531131557.git61bec06.el7.centos.noarch

On host: 
1. Mo firewalld service file is supplied by ovirt-provider-ovn-driver. 
2. openvswitch-ovn-host suppiles service file with port UDP 6081.

On central: 
1. ovirt-provider-ovn supplies port TCP 9696. 
2. openvswitch-ovn-central supplies ports TCP: 6641 & 6642. 
3. File permissions on /usr/lib/firewalld/services/ovirt-provider-ovn.xml are 644.

NOTE: No OVN functionality tests were done, only checks that the relevant ports are open on the servers. Due to the fact that vdsm is currently do not support firewalld.

Note You need to log in before you can comment on or make changes to this bug.