Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1150328 - Missing firewall rules prevent connection to virtual-machine consoles via webadmin
Summary: Missing firewall rules prevent connection to virtual-machine consoles via web...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-node
Version: 3.5.0
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
: 3.5.0
Assignee: Douglas Schilling Landgraf
QA Contact: Virtualization Bugs
URL:
Whiteboard: node
Depends On:
Blocks: rhev35betablocker rhev35rcblocker rhev35gablocker
TreeView+ depends on / blocked
 
Reported: 2014-10-08 00:11 UTC by Douglas Schilling Landgraf
Modified: 2016-02-10 20:09 UTC (History)
14 users (show)

Fixed In Version: rhev-hypervisor6-6.6-20141218.0.iso rhev-hypervisor7-7.0-20141218.0.iso
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-11 21:02:39 UTC
oVirt Team: Node
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1152958 None None None Never
Red Hat Product Errata RHEA-2015:0160 normal SHIPPED_LIVE ovirt-node bug fix and enhancement update 2015-02-12 01:34:52 UTC
oVirt gerrit 33915 master ABANDONED rhevh7-post: add the ovirt xml firewalld file Never
oVirt gerrit 33938 master MERGED firewall: Use correct logic if firewalld is used Never
oVirt gerrit 33943 master MERGED rhevh7-install: replace firewalld to iptables Never
oVirt gerrit 33944 master MERGED rhevh7-post: initial iptables rules Never

Internal Links: 1152958

Description Douglas Schilling Landgraf 2014-10-08 00:11:35 UTC
Description of problem:

- Create a virtual machine in ovirt-node with spice protocol
- Try to open the virtual-machine display via Admin Portal.

Version-Release number of selected component (if applicable):

- rhev-hypervisor7-7.0-20141006.0
  
Actual results:

Cannot open

Expected results:

Should display to users the virtual machine.

Additional info:

Firewalld issue.

Comment 1 Fabian Deutsch 2014-10-08 08:47:23 UTC
Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left to Node to open the relevant ports?

Comment 2 Alon Bar-Lev 2014-10-08 08:51:35 UTC
(In reply to Fabian Deutsch from comment #1)
> Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left
> to Node to open the relevant ports?

yes, host-deploy sets /etc/sysconfig/iptables and persist it, if user did not uncheck the "configure firewall".

firewalld is not used in hypervisor for now.

Comment 3 Fabian Deutsch 2014-10-08 14:10:13 UTC
(In reply to Alon Bar-Lev from comment #2)
> (In reply to Fabian Deutsch from comment #1)
> > Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left
> > to Node to open the relevant ports?
> 
> yes, host-deploy sets /etc/sysconfig/iptables and persist it, if user did
> not uncheck the "configure firewall".
> 
> firewalld is not used in hypervisor for now.

But - is host-edploy or vdsm now also resüponsible to open the ports on Node - or do you expect Node to do this?

Comment 4 Alon Bar-Lev 2014-10-08 17:00:47 UTC
(In reply to Fabian Deutsch from comment #3)
> (In reply to Alon Bar-Lev from comment #2)
> > (In reply to Fabian Deutsch from comment #1)
> > > Alon, isn't host-deploy or vdsm taking care to open the ports, or is it left
> > > to Node to open the relevant ports?
> > 
> > yes, host-deploy sets /etc/sysconfig/iptables and persist it, if user did
> > not uncheck the "configure firewall".
> > 
> > firewalld is not used in hypervisor for now.
> 
> But - is host-edploy or vdsm now also resüponsible to open the ports on Node
> - or do you expect Node to do this?

as I wrote, host-deploy is overriding iptables and starts iptables on machine. please confirm iptables contains invalid content post deploy and/or iptables is down and/or firewalld is up.

Comment 5 Alon Bar-Lev 2014-10-08 18:47:25 UTC
please update bug subject to root cause.

Comment 8 Ying Cui 2014-10-09 11:54:35 UTC
bug 1128033 is verified, we can reproduce this bug now, and qa_ack+

Comment 10 haiyang,dong 2015-01-21 07:38:04 UTC
Test version:
rhev-hypervisor7-7.0-20150119.0.1.iso	
ovirt-node-3.2.1-5.el7.noarch
Red Hat Enterprise Virtualization Manager Version: 3.5.0-0.30.el6ev

Test steps:
1. Create a virtual machine in rhevh with spice protocol
2. Try to open the virtual-machine display via Admin Portal.

Test result:
display to users the virtual machine console success

so this bug has been fixed, changed the status into "VERIFIED".

Comment 12 errata-xmlrpc 2015-02-11 21:02:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0160.html


Note You need to log in before you can comment on or make changes to this bug.