Bug 1843882 - network interface not added to public firewalld zone until host reboot
Summary: network interface not added to public firewalld zone until host reboot
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.3.9
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ovirt-4.4.5
: ---
Assignee: Dana
QA Contact: Petr Matyáš
URL:
Whiteboard:
Depends On: 1853906
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-04 11:31 UTC by Juan Orti
Modified: 2023-10-06 20:25 UTC (History)
5 users (show)

Fixed In Version: ovirt-engine-4.4.5
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-14 11:39:56 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5128711 0 None None None 2020-06-04 11:31:38 UTC
Red Hat Product Errata RHSA-2021:1169 0 None None None 2021-04-14 11:40:29 UTC

Description Juan Orti 2020-06-04 11:31:39 UTC 
Description of problem:
After changing a cluster firewall type to firewalld and reinstalling a host to apply the change, the network interfaces are not in the "public" firewalld zone until the host is rebooted.

One problem detected because of this is that the playbook to re-deploy hosted-engine fails in the task "Get active list of active firewalld zones".

I'm not sure if this have other functional or security related implications.

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.9.4-11.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have RHV 4.2 cluster with firewall type 'iptables'.
2. Upgrade it to RHV 4.3, raise CL to 4.3
3. Change firewall type to 'firewalld'
4. Put one host into maintenance
5. Host -> Installation -> Reinstall. "Automatically configure host firewall" checked.

Actual results:
After the host reinstallation, firewalld is configured, but the interfaces are not assigned to the public zone.

# firewall-cmd --get-active-zones

# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client cockpit vdsm libvirt glusterfs libvirt-tls snmp ovirt-imageio ovirt-vmconsole
  ports: 16514/tcp 22/tcp 6081/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


After rebooting the host, the interfaces are correctly assigned:

# firewall-cmd --get-active-zones
public
  interfaces: ovirtmgmt eth0

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ovirtmgmt eth0
  sources: 
  services: ssh dhcpv6-client cockpit vdsm libvirt glusterfs libvirt-tls snmp ovirt-imageio ovirt-vmconsole
  ports: 16514/tcp 22/tcp 6081/udp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Expected results:
The interfaces added to the zone in the runtime configuration.

Additional info:
Comment 4 Guilherme Santos 2021-01-31 17:42:00 UTC 
Hi Dana, is this guy fixed? There is not patch linked.
Comment 5 Dana 2021-02-01 07:21:05 UTC 
Hi, yes
The bug that this issue was depending on was fixed, and there are no further changes that needs to be done
Comment 7 Petr Matyáš 2021-02-12 12:59:28 UTC 
Tested on ovirt-engine-4.4.5.5-0.13.el8ev.noarch

Option to reboot a host after install/reinstall was added and is currently checked by default.
Comment 13 errata-xmlrpc 2021-04-14 11:39:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1169
Note You need to log in before you can comment on or make changes to this bug.