Description of problem: After changing a cluster firewall type to firewalld and reinstalling a host to apply the change, the network interfaces are not in the "public" firewalld zone until the host is rebooted. One problem detected because of this is that the playbook to re-deploy hosted-engine fails in the task "Get active list of active firewalld zones". I'm not sure if this have other functional or security related implications. Version-Release number of selected component (if applicable): ovirt-engine-4.3.9.4-11.el7.noarch How reproducible: Always Steps to Reproduce: 1. Have RHV 4.2 cluster with firewall type 'iptables'. 2. Upgrade it to RHV 4.3, raise CL to 4.3 3. Change firewall type to 'firewalld' 4. Put one host into maintenance 5. Host -> Installation -> Reinstall. "Automatically configure host firewall" checked. Actual results: After the host reinstallation, firewalld is configured, but the interfaces are not assigned to the public zone. # firewall-cmd --get-active-zones # firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client cockpit vdsm libvirt glusterfs libvirt-tls snmp ovirt-imageio ovirt-vmconsole ports: 16514/tcp 22/tcp 6081/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: After rebooting the host, the interfaces are correctly assigned: # firewall-cmd --get-active-zones public interfaces: ovirtmgmt eth0 # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ovirtmgmt eth0 sources: services: ssh dhcpv6-client cockpit vdsm libvirt glusterfs libvirt-tls snmp ovirt-imageio ovirt-vmconsole ports: 16514/tcp 22/tcp 6081/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Expected results: The interfaces added to the zone in the runtime configuration. Additional info:
Hi Dana, is this guy fixed? There is not patch linked.
Hi, yes The bug that this issue was depending on was fixed, and there are no further changes that needs to be done
Tested on ovirt-engine-4.4.5.5-0.13.el8ev.noarch Option to reboot a host after install/reinstall was added and is currently checked by default.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, bug fix, enhancement), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1169