Bug 795061 - [vdsm] bootstrap script setups up invalid iptables rules
Summary: [vdsm] bootstrap script setups up invalid iptables rules
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: lpeer
QA Contact:
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-19 02:02 UTC by Andrew Cathrow
Modified: 2014-09-07 22:54 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-13 08:12:22 UTC
oVirt Team: ---
Embargoed:


Attachments (Terms of Use)

Description Andrew Cathrow 2012-02-19 02:02:17 UTC
Tested in stable tree. 

vdsm-bootstrap-4.9.3.3-0.fc16
ovirt-engine-dbscripts-3.0.0_0001-1.6

The issue is in ./usr/share/ovirt-engine/dbscripts/upgrade/03_00_0390_add_firewall_rules_option.sql

Which is creating an incorrect iptables config file.

First problem is critical

We are setting
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT -reject-with icmp-host-prohibited"

-vs-

-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

That's invalid and the iptables service fails to start.

/var/log/messages shows
iptables: Applying firewall rules: iptables-restore v1.4.12: physdev: option "--physdev-is-bridged" cannot be inverted.

Second issue - we're opening the port for libvirt-tls to the outside - that port shouldn't be open externally.

Comment 1 Dan Kenigsberg 2012-02-19 09:22:54 UTC
As mentioned above, default iptables is controlled by ovirt-engine. changing component.

Note that opening libvirt-tls is required to enable migration (PEER2PEER).

Comment 2 Andrew Cathrow 2012-02-19 23:47:56 UTC
(In reply to comment #1)
> As mentioned above, default iptables is controlled by ovirt-engine. changing
> component.
> 
> Note that opening libvirt-tls is required to enable migration (PEER2PEER).

Does opening libvirt-tls also allow for remote libvirt management?

Comment 3 Dan Kenigsberg 2012-02-20 07:26:59 UTC
(In reply to comment #2)
> 
> Does opening libvirt-tls also allow for remote libvirt management?

If you own a RHEV-M-certified private key, the answer is yes.

Comment 4 Doron Fediuck 2012-03-26 09:18:11 UTC
Just adding that we got the initial config the engine
has today from vdsm as a simple default. 
We can update it if we get an updated policy.
Who can provide us the relevant configuration?

Comment 5 Itamar Heim 2012-12-13 08:12:22 UTC
Closing old bugs. If this issue is still relevant/important in current version, please re-open the bug.


Note You need to log in before you can comment on or make changes to this bug.