Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 560558

Summary: Cluster Documentation is not detailed enough in explaining how to add suitable rules to allow multicast traffic for cluster comunication
Product: Red Hat Enterprise Linux 5 Reporter: Michael Kearey <mkearey>
Component: Documentation-clusterAssignee: Steven J. Levine <slevine>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: cevich, iannis, jskeoch, lhh, mhideo, sdubrowin, slevine, wmealing
Target Milestone: ---Keywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 717006 (view as bug list) Environment:
Last Closed: 2011-07-25 13:19:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 717006    
Deadline: 2011-06-14   

Description Michael Kearey 2010-02-01 06:49:12 UTC 
Description of problem:
Documentation fails to explain in detail traffic that must be allowed in a Netfilter/iptables firewall.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
Read documentation with a view to determine the exact ports and traffic types that need to be allowed via an IPtables firewall.
Actual results:
The documentation mentions:

* "For RHEL 5.1 and later, rgmanager does not use TCP or UDP sockets." from http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Cluster_Administration/s1-iptables-CA.html#s2-iptable s-clnodes-CA.

However, it doesn't say exactly what to let through IPTables!

Expected results:
The documentation needs to explicitely state the traffic type and ports, and include an example rule to add to allow the multicast traffic.

Additional info:

This link: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Cluster_Administration/s1-multicast-considerations-CA .html says you need multicast.

This link: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Cluster_Administration/s1-iptables-CA.html#s2-iptable s-clnodes-CA says what ports you need.

It would be helpful to provide an example like:

-A <whatever> -s 224.0.0.1 -m addrtype --src-type MULTICAST -j ACCEPT
Comment 3 RHEL Program Management 2010-08-09 18:17:16 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 4 Steven J. Levine 2011-06-02 18:11:25 UTC 
I'm reassigning this to me since it is now my document.
Comment 7 Steven J. Levine 2011-06-08 16:50:34 UTC 
Lon: I'm putting this in NEEDINFO because on this bug I need some help.

Is there somebody who can look over this bug with me and help me figure out what I need to provide?  I'm not really sure what would address this issue.
Comment 8 Lon Hohberger 2011-06-22 20:42:06 UTC 
I believe the following is all that is required:

openais [corosync on RHEL6]:
  iptables -I INPUT -p udp -m state --state NEW -m multiport --dports 5404,5405 -j ACCEPT

ricci:
  iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports 11111 -j ACCEPT

modcluster:
  iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports 16851 -j ACCEPT

gnbd [deprecated; not present on RHEL6]:
  iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports 14567 -j ACCEPT

luci:
  iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports 8084 -j ACCEPT

DLM:
  iptables -I INPUT -p tcp -m state --state NEW -m multiport --dports 21064 -j ACCEPT

Run 'service iptables save ; service iptables restart'

There is no special consideration at all for rgmanager on RHEL5 or RHEL6; it uses ports 5404/5405