Bug 988849 - edit-node does not handle firewall rules
Summary: edit-node does not handle firewall rules
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-node
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.4.0
Assignee: Joey Boggs
QA Contact: bugs@ovirt.org
URL:
Whiteboard: node
Depends On:
Blocks: 918494
TreeView+ depends on / blocked
 
Reported: 2013-07-26 14:47 UTC by Mike Burns
Modified: 2014-03-31 12:32 UTC (History)
14 users (show)

Fixed In Version: ovirt-3.4.0-alpha1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-31 12:32:18 UTC
oVirt Team: ---


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 17843 None None None Never

Description Mike Burns 2013-07-26 14:47:03 UTC
Description of problem:
plugins can install a file to /etc/ovirt-plugins.d containing a list of ports and protocols to open like this:

54321,tcp

These are not being added to the firewall configuration currently

Version-Release number of selected component (if applicable):
node-3.0.0

How reproducible:
always

Comment 1 Mike Burns 2013-07-26 14:48:25 UTC
Note:  need to ignore comments in the file (lines prefixed with #)
Need to handle firewalld vs iptables

Comment 2 Alon Bar-Lev 2013-08-06 22:42:33 UTC
ovirt-host-deploy sets iptables rules specified by engine.

We are not ready for firewalld at host side.

Comment 3 Alon Bar-Lev 2013-08-06 22:57:28 UTC
(In reply to Alon Bar-Lev from comment #2)
> ovirt-host-deploy sets iptables rules specified by engine.
> 
> We are not ready for firewalld at host side.

Need to correct... ovirt-engine does not support firewalld but only iptables, and this is what it sends to ovirt-host-deploy (otopi).

otopi supports firewalld... but engine should use that feature.

Comment 4 Joey Boggs 2013-08-08 17:49:42 UTC
http://gerrit.ovirt.org/17843

handles both iptables and firewalld

Comment 5 Alon Bar-Lev 2013-08-08 18:05:34 UTC
I am unsure how this change solves the problem.

As I wrote in comment#3, ovirt-engine does not support firewalld, it will configure machine using iptables.

In future, when ovirt-engine will support firewalld, it will configure firewalld during host-deploy, the plugin will be a simple registration notification, nothing more.

Comment 6 Joey Boggs 2013-08-08 20:24:54 UTC
ovirt-node had firewalld support since F18, what was being done in F18 timeframe with ovirt-host-deploy to make it work?

I can open the ports that ovirt-host-deploy would do in the base image but the patch will work for other plugins that don't expect to manage firewalld/iptables.

Are you asking to revert back to just iptables or can we meet in the middle and open necessary ports?

Comment 7 Alon Bar-Lev 2013-08-08 20:33:03 UTC
(In reply to Joey Boggs from comment #6)
> ovirt-node had firewalld support since F18, what was being done in F18
> timeframe with ovirt-host-deploy to make it work?

There was no RFE for ovirt-engine as far as I know to support firewalld. The fact that ovirt-node reverted this as standalone component without synchronization is not correct.

> I can open the ports that ovirt-host-deploy would do in the base image but
> the patch will work for other plugins that don't expect to manage
> firewalld/iptables.

The ports to be opened are set by the engine and not by the deploy process. If we want to have it set by the node, we should modify the engine not to push iptables rules into the node.

But this will break 3.2 compatibility.

> Are you asking to revert back to just iptables or can we meet in the middle
> and open necessary ports?

I think we should revert back and have something working, then analyze the need of firewall throughout the project and provide a complete solution.

Comment 8 Antoni Segura Puimedon 2013-08-08 20:36:42 UTC
I would have the vdsm plugin or ovirt-host deploy include:

systemctl mask firewalld
systemctl stop firewalld
systemctl enable iptables.service
systemctl start iptables.service

Comment 9 Joey Boggs 2013-08-08 20:52:13 UTC
I'm going to just revert the ovirt-node side since we will end up not opening the ports configured with firewalld ssh,libvirt, etc. So no work to be done within the vdsm-plugin unless its a safeguard.

Comment 10 Joey Boggs 2013-08-09 14:00:42 UTC
patch updated

Comment 11 cshao 2014-03-03 07:21:45 UTC
Test version:
ovirt-node-iso-3.0.4-1.0.201401291204.vdsm34beta3.el6.iso
ovirt-node-3.0.4-1.0.el6.noarch

# cat /etc/ovirt-plugins.d/vdsm-plugin.firewall 
#ports and protocols that vdsm needs opened
54321,tcp

# iptables -L | grep 54321
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:54321 

The file /etc/ovirt-plugins.d/vdsm-plugin.firewall can list ports and protocols that vdsm needs opened. so the bug is fixed, change bug status to VERIFIED.

Comment 12 Sandro Bonazzola 2014-03-31 12:32:18 UTC
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released


Note You need to log in before you can comment on or make changes to this bug.