Bug 857496
| Summary: | AIO: installer needs to open ports for guest consoles | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Pavel Stehlik <pstehlik> |
| Component: | ovirt-engine-setup | Assignee: | Alon Bar-Lev <alonbl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Stehlik <pstehlik> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.1.0 | CC: | alonbl, alourie, bazulay, dyasny, iheim, mgoldboi, Rhev-m-bugs, sgrinber, ykaul |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | integration | ||
| Fixed In Version: | si21 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-04 20:01:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hello Pavel, I used the following rules: --- # guest consoles -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m multiport --dports 49152:49216 -j ACCEPT --- I think they should be better than what proposed in comment#0. commit 11fe6de266b0fb6b64a1f40faa96a9c1edd74363
Author: Alon Bar-Lev <alonbl>
Date: Fri Oct 5 01:48:24 2012 +0200
packaging: open up firewall rules for console and migration in aio mode
These ports are required for proper application use.
Change-Id: Id2fb5346eaf8c800952df28657df701911586faa
Signed-off-by: Alon Bar-Lev <alonbl>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=857496
http://gerrit.ovirt.org/#/c/8374/
commit 6902899c8f0d6376b35e35e01e3f8b5161ec163c
Author: Alon Bar-Lev <alonbl>
Date: Fri Oct 5 01:55:59 2012 +0200
packaging: cleanup _configIptables
1. use template file, do not search for comments.
2. remove code duplications.
3. handle files correctly.
4. misc cleanups.
Change-Id: Ic08891752b537ea04c56e8aef2040cc5e89cbea3
Signed-off-by: Alon Bar-Lev <alonbl>
http://gerrit.ovirt.org/#/c/8373/
Merged upstream: http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=8358cd7f5e291344038efefea07f6b8121d6f4e5 http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=commit;h=7d473cd0ba5ff4f2a03274901e01d0ae7c781bdb Merged downstream, https://gerrit.eng.lab.tlv.redhat.com/gitweb?p=ovirt-engine.git;a=commit;h=ea85805b2d1366b0be7e826a9f550ab304310d73 https://gerrit.eng.lab.tlv.redhat.com/gitweb?p=ovirt-engine.git;a=commit;h=20ce060af60b1fdcf2685bd576765b817fb61319 ok - si24.2 |
Description of problem: After installation AIO there are missing these rules: # guest consoles -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT Version-Release number of selected component (if applicable): si18 How reproducible: 100% Steps to Reproduce: 1. install rhevm with a-i-o plugin 2. create VM & try to connect via SPICE 3. Actual results: [root@slot-7 ~]# iptables -L -nv Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 41701 29M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 40903 packets, 22M bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 32774 17M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 8043 13M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 11 660 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 663 39780 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:892 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:892 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:875 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:875 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:662 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:662 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2049 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:32803 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:32769 210 15670 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Expected results: + these: 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5634:6166 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 49152:49216 Additional info: