Bug 988849 - edit-node does not handle firewall rules
edit-node does not handle firewall rules
Status: CLOSED CURRENTRELEASE
Product: oVirt
Classification: Community
Component: ovirt-node (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: 3.4.0
Assigned To: Joey Boggs
bugs@ovirt.org
node
:
Depends On:
Blocks: 918494
  Show dependency treegraph
 
Reported: 2013-07-26 10:47 EDT by Mike Burns
Modified: 2014-03-31 08:32 EDT (History)
14 users (show)

See Also:
Fixed In Version: ovirt-3.4.0-alpha1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-31 08:32:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 17843 None None None Never

  None (edit)
Description Mike Burns 2013-07-26 10:47:03 EDT
Description of problem:
plugins can install a file to /etc/ovirt-plugins.d containing a list of ports and protocols to open like this:

54321,tcp

These are not being added to the firewall configuration currently

Version-Release number of selected component (if applicable):
node-3.0.0

How reproducible:
always
Comment 1 Mike Burns 2013-07-26 10:48:25 EDT
Note:  need to ignore comments in the file (lines prefixed with #)
Need to handle firewalld vs iptables
Comment 2 Alon Bar-Lev 2013-08-06 18:42:33 EDT
ovirt-host-deploy sets iptables rules specified by engine.

We are not ready for firewalld at host side.
Comment 3 Alon Bar-Lev 2013-08-06 18:57:28 EDT
(In reply to Alon Bar-Lev from comment #2)
> ovirt-host-deploy sets iptables rules specified by engine.
> 
> We are not ready for firewalld at host side.

Need to correct... ovirt-engine does not support firewalld but only iptables, and this is what it sends to ovirt-host-deploy (otopi).

otopi supports firewalld... but engine should use that feature.
Comment 4 Joey Boggs 2013-08-08 13:49:42 EDT
http://gerrit.ovirt.org/17843

handles both iptables and firewalld
Comment 5 Alon Bar-Lev 2013-08-08 14:05:34 EDT
I am unsure how this change solves the problem.

As I wrote in comment#3, ovirt-engine does not support firewalld, it will configure machine using iptables.

In future, when ovirt-engine will support firewalld, it will configure firewalld during host-deploy, the plugin will be a simple registration notification, nothing more.
Comment 6 Joey Boggs 2013-08-08 16:24:54 EDT
ovirt-node had firewalld support since F18, what was being done in F18 timeframe with ovirt-host-deploy to make it work?

I can open the ports that ovirt-host-deploy would do in the base image but the patch will work for other plugins that don't expect to manage firewalld/iptables.

Are you asking to revert back to just iptables or can we meet in the middle and open necessary ports?
Comment 7 Alon Bar-Lev 2013-08-08 16:33:03 EDT
(In reply to Joey Boggs from comment #6)
> ovirt-node had firewalld support since F18, what was being done in F18
> timeframe with ovirt-host-deploy to make it work?

There was no RFE for ovirt-engine as far as I know to support firewalld. The fact that ovirt-node reverted this as standalone component without synchronization is not correct.

> I can open the ports that ovirt-host-deploy would do in the base image but
> the patch will work for other plugins that don't expect to manage
> firewalld/iptables.

The ports to be opened are set by the engine and not by the deploy process. If we want to have it set by the node, we should modify the engine not to push iptables rules into the node.

But this will break 3.2 compatibility.

> Are you asking to revert back to just iptables or can we meet in the middle
> and open necessary ports?

I think we should revert back and have something working, then analyze the need of firewall throughout the project and provide a complete solution.
Comment 8 Antoni Segura Puimedon 2013-08-08 16:36:42 EDT
I would have the vdsm plugin or ovirt-host deploy include:

systemctl mask firewalld
systemctl stop firewalld
systemctl enable iptables.service
systemctl start iptables.service
Comment 9 Joey Boggs 2013-08-08 16:52:13 EDT
I'm going to just revert the ovirt-node side since we will end up not opening the ports configured with firewalld ssh,libvirt, etc. So no work to be done within the vdsm-plugin unless its a safeguard.
Comment 10 Joey Boggs 2013-08-09 10:00:42 EDT
patch updated
Comment 11 cshao 2014-03-03 02:21:45 EST
Test version:
ovirt-node-iso-3.0.4-1.0.201401291204.vdsm34beta3.el6.iso
ovirt-node-3.0.4-1.0.el6.noarch

# cat /etc/ovirt-plugins.d/vdsm-plugin.firewall 
#ports and protocols that vdsm needs opened
54321,tcp

# iptables -L | grep 54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 

The file /etc/ovirt-plugins.d/vdsm-plugin.firewall can list ports and protocols that vdsm needs opened. so the bug is fixed, change bug status to VERIFIED.
Comment 12 Sandro Bonazzola 2014-03-31 08:32:18 EDT
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released

Note You need to log in before you can comment on or make changes to this bug.