Bug 1570391 - Engine-setup fails at stage 'Closing up': Command '/bin/firewall-cmd' failed to execute.
Summary: Engine-setup fails at stage 'Closing up': Command '/bin/firewall-cmd' failed ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: otopi
Classification: oVirt
Component: Core
Version: master
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ovirt-4.2.4
: ---
Assignee: Yedidyah Bar David
QA Contact: Pavel Stehlik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-22 14:39 UTC by John Boero
Modified: 2018-06-29 14:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-11 11:28:24 UTC
oVirt Team: Integration
rule-engine: ovirt-4.2+
rule-engine: exception+


Attachments (Terms of Use)

Description John Boero 2018-04-22 14:39:29 UTC
Description of problem:
Fresh install of engine on a dedicated EL 7.2 host using engine-setup, during closing stage, firewall-cmd fails trying to enable a service "ovirt-vmconsole" that doesn't exist (and doesn't appear to be provided by anything in the 4.2 repo).

Version-Release number of selected component (if applicable):
otopi.noarch                           1.7.7-1.el7.centos             @ovirt-4.2
CentOS Linux release 7.4.1708 (Core)

How reproducible:
Always

Steps to Reproduce:
1. Do a fresh engine-setup with either firewalld or iptables configuration option.  Tail the log listed during install.
2. Install (hopefully) successfully gets to Closing stage.
3. During close, firewall-cmd errors enabling a service that doesn't exist and stops the rest of close.

Actual results:
Error:

2018-04-22 14:15:46,601+0100 DEBUG otopi.plugins.otopi.network.firewalld plugin.execute:926 execute-output: ('/bin/firewall-cmd', '--zone', u'public', '--permanent', '--add-service', 'ovirt-postgres') stderr:
Error: INVALID_SERVICE: 'ovirt-vmconsole' not among existing services

2018-04-22 14:15:46,601+0100 DEBUG otopi.context context._executeMethod:143 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 133, in _executeMethod
    method['method']()
  File "/usr/share/otopi/plugins/otopi/network/firewalld.py", line 334, in _closeup
    '--add-service', service,
  File "/usr/lib/python2.7/site-packages/otopi/plugin.py", line 931, in execute
    command=args[0],
112935RuntimeError: Command '/bin/firewall-cmd' failed to execute
2018-04-22 14:15:46,603+0100 ERROR otopi.context context._executeMethod:152 Failed to execute stage 'Closing up': Command '/bin/firewall-cmd' failed to execute


Expected results:
engine-setup should finish and firewalls should allow engine ports.

Additional info:
In my case with current 4.2 repo, a "yum provides /usr/lib/systemd/system/ovirt-vmconsole.service" comes back empty as nothing provides it.

My only workaround option is to disable "Update Firewall" option in installer answers, which allows install to finish.  Note I'm avoiding self-hosted on purpose as an unrelated HA quorum bug has ruined my current installment.

Comment 1 John Boero 2018-04-23 10:14:05 UTC
Update - even after disabling firewall config, I just noticed this in firewalld journal:

Apr 22 14:31:05 $FQDN firewalld[31325]: WARNING: public: INVALID_SERVICE: ovirt-vmconsole
Apr 22 14:31:05 $FQDN firewalld[31325]: WARNING: public: INVALID_SERVICE: vdsm
Apr 22 14:31:05 $FQDN firewalld[31325]: WARNING: public: INVALID_SERVICE: ovirt-storageconsole


This is odd.  vdsm should be vdsmd anyway.  Is anybody able to deploy currently?  This seems like a no-brainer.
Thanks

Comment 2 John Boero 2018-04-23 10:14:25 UTC
Update - even after disabling firewall config, I just noticed this in firewalld journal:

Apr 22 14:31:05 $FQDN firewalld[31325]: WARNING: public: INVALID_SERVICE: ovirt-vmconsole
Apr 22 14:31:05 $FQDN firewalld[31325]: WARNING: public: INVALID_SERVICE: vdsm
Apr 22 14:31:05 $FQDN firewalld[31325]: WARNING: public: INVALID_SERVICE: ovirt-storageconsole


This is odd.  vdsm should be vdsmd anyway.  Is anybody able to deploy currently?  This seems like a no-brainer.
Thanks

Comment 3 Sandro Bonazzola 2018-05-07 08:12:47 UTC
John, you said you were using EL7.2 and then you gave CentOS 7.4 release line.
Is this 7.2 or 7.4? Because oVirt 4.2 requires CentOS >= 7.4, won't work on 7.2.

Comment 4 John Boero 2018-05-08 07:37:36 UTC
(In reply to Sandro Bonazzola from comment #3)
> John, you said you were using EL7.2 and then you gave CentOS 7.4 release
> line.
> Is this 7.2 or 7.4? Because oVirt 4.2 requires CentOS >= 7.4, won't work on
> 7.2.

Sorry it was EL7.4.  It's been a while so I don't remember why I put 7.2.  Definitely the version 7.4.1708 (Core) included below.

Thanks!

Comment 5 Yedidyah Bar David 2018-05-30 10:19:18 UTC
Please attach relevant logs and clarify where and when you get the error message.

IIUC, engine-setup never configures a firewalld service 'ovirt-vmconsole', only 'ovirt-vmconsole-proxy'.

On my CentOS 7.4 machine:

# rpm -qf /usr/lib/firewalld/services/ovirt-vmconsole.xml
firewalld-0.4.4.4-6.el7.noarch

Which firewalld do you have installed?

Comment 6 John Boero 2018-06-11 11:28:24 UTC
Sorry I've just re-tried this and the repo has been updated with latest ovirt-vmconsole.  I think it was just a temporary repo issue strangely.  Seems OK now.

Mrking closed

Comment 7 Yedidyah Bar David 2018-06-12 06:04:22 UTC
Well, still no idea what the problem was, but thanks for the report anyway :-)

If it happens again, please provide more details. Thanks.


Note You need to log in before you can comment on or make changes to this bug.