Bug 1473366 - Firewall rules prevent appliance from getting a dynamic IPv6 address
Firewall rules prevent appliance from getting a dynamic IPv6 address
Status: VERIFIED
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.8.0
Unspecified Unspecified
high Severity high
: GA
: 5.9.0
Assigned To: Nick Carboni
luke couzens
ipv6:black
: TestOnly, ZStream
Depends On:
Blocks: 1473424
  Show dependency treegraph
 
Reported: 2017-07-20 11:40 EDT by Jan Krocil
Modified: 2017-10-12 04:51 EDT (History)
5 users (show)

See Also:
Fixed In Version: 5.9.0.1
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1473424 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: Bug
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Krocil 2017-07-20 11:40:20 EDT
Description of problem:
SSIA

Version-Release number of selected component (if applicable):
5.8.1.2

How reproducible:
Always

Steps to Reproduce:
1. Get a fresh appliance with no IPv4 networking; IPv6 only
2. Start the appliance up
3. # ip a

Actual results:
The appliance has no IPv6 ULA assigned (it only has a link local address). 

Expected results:
The appliance has IPv6 ULA successfully assigned from the DHCP server.

Additional info:


Workaround:
-----------
1. systemctl stop firewalld
   or
   ip6tables -F
2. systemctl restart network

At this point, the IPv6 address is correctly assigned to the iface.
Comment 2 Jan Krocil 2017-07-20 12:02:39 EDT
Better workaround:
------------------
We need to open port 546/udp in the active zone.

# firewall-cmd --zone=manageiq --add-port=546/udp --permanent
# firewall-cmd --reload
# systemctl restart network
Comment 4 CFME Bot 2017-07-20 14:57:48 EDT
New commit detected on ManageIQ/manageiq-appliance-build/master:
https://github.com/ManageIQ/manageiq-appliance-build/commit/75b970ce3b03ffca237237cbd4abf12e19639286

commit 75b970ce3b03ffca237237cbd4abf12e19639286
Author:     Nick Carboni <ncarboni@redhat.com>
AuthorDate: Thu Jul 20 13:33:28 2017 -0400
Commit:     Nick Carboni <ncarboni@redhat.com>
CommitDate: Thu Jul 20 13:33:28 2017 -0400

    Allow the DHCPv6 client through the appliance firewall
    
    Before this change appliances would not correctly receive IPv6
    addresses via DHCP.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1473366

 kickstarts/partials/post/firewalld.ks.erb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
Comment 6 luke couzens 2017-10-12 04:51:07 EDT
Verified in 5.9.0.2

Note You need to log in before you can comment on or make changes to this bug.