Bug 857496 - AIO: installer needs to open ports for guest consoles
AIO: installer needs to open ports for guest consoles
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.1.0
All Linux
unspecified Severity high
: ---
: ---
Assigned To: Alon Bar-Lev
Pavel Stehlik
integration
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-14 11:35 EDT by Pavel Stehlik
Modified: 2012-12-04 15:01 EST (History)
9 users (show)

See Also:
Fixed In Version: si21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-04 15:01:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Pavel Stehlik 2012-09-14 11:35:38 EDT
Description of problem:
 After installation AIO there are missing these rules:
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT


Version-Release number of selected component (if applicable):
si18

How reproducible:
100%

Steps to Reproduce:
1. install rhevm with a-i-o plugin
2. create VM & try to connect via SPICE
3.
  
Actual results:
[root@slot-7 ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
41701   29M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 40903 packets, 22M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
32774   17M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255 
 8043   13M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
   11   660 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
  663 39780 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:111 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:111 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:892 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:892 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:875 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:875 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:662 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:662 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2049 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:32803 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:32769 
  210 15670 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Expected results:
+ these:
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 5634:6166 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 49152:49216

Additional info:
Comment 5 Alon Bar-Lev 2012-10-04 20:36:05 EDT
Hello Pavel,

I used the following rules:
---
# guest consoles
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m multiport --dports 5634:6166  -j ACCEPT
# migration
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp -m multiport --dports 49152:49216 -j ACCEPT
---

I think they should be better than what proposed in comment#0.
Comment 6 Alon Bar-Lev 2012-10-04 20:46:07 EDT
commit 11fe6de266b0fb6b64a1f40faa96a9c1edd74363
Author: Alon Bar-Lev <alonbl@redhat.com>
Date:   Fri Oct 5 01:48:24 2012 +0200

    packaging: open up firewall rules for console and migration in aio mode
    
    These ports are required for proper application use.
    
    Change-Id: Id2fb5346eaf8c800952df28657df701911586faa
    Signed-off-by: Alon Bar-Lev <alonbl@redhat.com>
    Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=857496

http://gerrit.ovirt.org/#/c/8374/

commit 6902899c8f0d6376b35e35e01e3f8b5161ec163c
Author: Alon Bar-Lev <alonbl@redhat.com>
Date:   Fri Oct 5 01:55:59 2012 +0200

    packaging: cleanup _configIptables
    
    1. use template file, do not search for comments.
    2. remove code duplications.
    3. handle files correctly.
    4. misc cleanups.
    
    Change-Id: Ic08891752b537ea04c56e8aef2040cc5e89cbea3
    Signed-off-by: Alon Bar-Lev <alonbl@redhat.com>

http://gerrit.ovirt.org/#/c/8373/
Comment 10 Pavel Stehlik 2012-11-16 05:24:46 EST
ok - si24.2

Note You need to log in before you can comment on or make changes to this bug.