Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1718694

Summary: Fix message about removing iptables support in 4.3
Product: Red Hat Enterprise Virtualization Manager Reporter: Germano Veit Michel <gveitmic>
Component: ovirt-engineAssignee: Martin Necas <mnecas>
Status: CLOSED ERRATA QA Contact: Pavol Brilla <pbrilla>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.3.0CC: lleistne, mperina, pelauter, Rhev-m-bugs
Target Milestone: ovirt-4.3.6Keywords: ZStream
Target Release: 4.3.6   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.6.5 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-10 15:36:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Germano Veit Michel 2019-06-09 23:32:35 UTC 
Description of problem:

There is still support for iptables in 4.3, even though its deprecated. So these below may need some re-wording/updating.

Both 4.3.z and master:
$ grep IPTablesConfig packaging/etc/engine-config/engine-config.properties

IPTablesConfig.description="iptables configuration. WARNING: iptables firewall on hosts is deprecated in 4.2 and will be completely removed in 4.3"
IPTablesConfigSiteCustom.description="iptables site custom configuration, appended to IPTablesConfig. WARNING: iptables firewall on hosts is deprecated in 4.2 and will be completely removed in 4.3"

# rpm -q rhvm
rhvm-4.3.3.7-0.1.el7.noarch

# engine-config -g IPTablesConfig
IPTablesConfig: 
# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT
# ovirt-imageio-daemon
-A INPUT -p tcp --dport 54322 -j ACCEPT
# rpc.statd
-A INPUT -p tcp --dport 111 -j ACCEPT
-A INPUT -p udp --dport 111 -j ACCEPT
# SSH
-A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
# Cockpit
-A INPUT -p tcp --dport 9090 -j ACCEPT

@CUSTOM_RULES@

# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT
 version: general
Comment 1 Martin Perina 2019-07-29 14:06:30 UTC 
Let's change the warnings, that "IPTables may be removed in next version". When we will decide to drop that support, it will be announced in release notes and we will also fail upgrade to that version if IPTables are still configured.
Comment 2 Peter Lauterbach 2019-08-16 13:57:11 UTC 
When we officially deprecate this feature, the upgrade helper will need updating. Does it need to be changed as part of this bz?
Comment 3 Martin Perina 2019-09-02 12:35:24 UTC 
(In reply to Peter Lauterbach from comment #2)
> When we officially deprecate this feature, the upgrade helper will need
> updating. Does it need to be changed as part of this bz?

No, we can add check to upgrade helper later, when we really decided to drop the support for iptables
Comment 5 Pavol Brilla 2019-09-10 11:02:18 UTC 
During update of engine ( 4.3.5 to 4.3.6 (ovirt-engine-4.3.6.5-0.1.el7.noarch)):

          Setup can automatically configure the firewall on this system.
          Note: automatic configuration of the firewall may overwrite current settings.
          NOTICE: iptables is deprecated and will be removed in future releases


# engine-config -l | grep -i iptables
IPTablesConfig: "iptables configuration. WARNING: iptables firewall on hosts is deprecated in 4.2 and may be removed in upcoming version." (Value Type: String)
IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig. WARNING: iptables firewall on hosts is deprecated in 4.2 and may be removed in upcoming version." (Value Type: String)
Comment 6 RHV bug bot 2019-09-25 08:46:35 UTC 
INFO: Bug status (VERIFIED) wasn't changed but the folowing should be fixed:

[Tag 'ovirt-engine-4.3.5.6' doesn't contain patch 'https://gerrit.ovirt.org/103028']
gitweb: https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=shortlog;h=refs/tags/ovirt-engine-4.3.5.6

For more info please contact: rhv-devops
Comment 8 errata-xmlrpc 2019-10-10 15:36:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3010