Description of problem: There is still support for iptables in 4.3, even though its deprecated. So these below may need some re-wording/updating. Both 4.3.z and master: $ grep IPTablesConfig packaging/etc/engine-config/engine-config.properties IPTablesConfig.description="iptables configuration. WARNING: iptables firewall on hosts is deprecated in 4.2 and will be completely removed in 4.3" IPTablesConfigSiteCustom.description="iptables site custom configuration, appended to IPTablesConfig. WARNING: iptables firewall on hosts is deprecated in 4.2 and will be completely removed in 4.3" # rpm -q rhvm rhvm-4.3.3.7-0.1.el7.noarch # engine-config -g IPTablesConfig IPTablesConfig: # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # vdsm -A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT # ovirt-imageio-daemon -A INPUT -p tcp --dport 54322 -j ACCEPT # rpc.statd -A INPUT -p tcp --dport 111 -j ACCEPT -A INPUT -p udp --dport 111 -j ACCEPT # SSH -A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT # snmp -A INPUT -p udp --dport 161 -j ACCEPT # Cockpit -A INPUT -p tcp --dport 9090 -j ACCEPT @CUSTOM_RULES@ # Reject any other input traffic -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited COMMIT version: general
Let's change the warnings, that "IPTables may be removed in next version". When we will decide to drop that support, it will be announced in release notes and we will also fail upgrade to that version if IPTables are still configured.
When we officially deprecate this feature, the upgrade helper will need updating. Does it need to be changed as part of this bz?
(In reply to Peter Lauterbach from comment #2) > When we officially deprecate this feature, the upgrade helper will need > updating. Does it need to be changed as part of this bz? No, we can add check to upgrade helper later, when we really decided to drop the support for iptables
During update of engine ( 4.3.5 to 4.3.6 (ovirt-engine-4.3.6.5-0.1.el7.noarch)): Setup can automatically configure the firewall on this system. Note: automatic configuration of the firewall may overwrite current settings. NOTICE: iptables is deprecated and will be removed in future releases # engine-config -l | grep -i iptables IPTablesConfig: "iptables configuration. WARNING: iptables firewall on hosts is deprecated in 4.2 and may be removed in upcoming version." (Value Type: String) IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig. WARNING: iptables firewall on hosts is deprecated in 4.2 and may be removed in upcoming version." (Value Type: String)
INFO: Bug status (VERIFIED) wasn't changed but the folowing should be fixed: [Tag 'ovirt-engine-4.3.5.6' doesn't contain patch 'https://gerrit.ovirt.org/103028'] gitweb: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ovirt-engine-4.3.5.6 For more info please contact: rhv-devops
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:3010