Tested in stable tree. vdsm-bootstrap-4.9.3.3-0.fc16 ovirt-engine-dbscripts-3.0.0_0001-1.6 The issue is in ./usr/share/ovirt-engine/dbscripts/upgrade/03_00_0390_add_firewall_rules_option.sql Which is creating an incorrect iptables config file. First problem is critical We are setting -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT -reject-with icmp-host-prohibited" -vs- -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT That's invalid and the iptables service fails to start. /var/log/messages shows iptables: Applying firewall rules: iptables-restore v1.4.12: physdev: option "--physdev-is-bridged" cannot be inverted. Second issue - we're opening the port for libvirt-tls to the outside - that port shouldn't be open externally.
As mentioned above, default iptables is controlled by ovirt-engine. changing component. Note that opening libvirt-tls is required to enable migration (PEER2PEER).
(In reply to comment #1) > As mentioned above, default iptables is controlled by ovirt-engine. changing > component. > > Note that opening libvirt-tls is required to enable migration (PEER2PEER). Does opening libvirt-tls also allow for remote libvirt management?
(In reply to comment #2) > > Does opening libvirt-tls also allow for remote libvirt management? If you own a RHEV-M-certified private key, the answer is yes.
Just adding that we got the initial config the engine has today from vdsm as a simple default. We can update it if we get an updated policy. Who can provide us the relevant configuration?
Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug.