[Users] Fatal error during migration

Doron Fediuck dfediuck at redhat.com
Thu Sep 20 10:46:28 UTC 2012 

----- Original Message -----

> From: "Dmitriy A Pyryakov" <DPyryakov at ekb.beeline.ru>
> To: "Michal Skrivanek" <michal.skrivanek at redhat.com>
> Cc: users at ovirt.org
> Sent: Thursday, September 20, 2012 1:34:46 PM
> Subject: Re: [Users] Fatal error during migration

> Michal Skrivanek <michal.skrivanek at redhat.com> написано 20.09.2012
> 16:23:31:

> > От: Michal Skrivanek <michal.skrivanek at redhat.com>
> > Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> > Копия: users at ovirt.org
> > Дата: 20.09.2012 16:24
> > Тема: Re: [Users] Fatal error during migration
> >
> >
> > On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:
> >
> > > Michal Skrivanek <michal.skrivanek at redhat.com> написано
> > > 20.09.201216:13:16:
> > >
> > > > От: Michal Skrivanek <michal.skrivanek at redhat.com>
> > > > Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> > > > Копия: users at ovirt.org
> > > > Дата: 20.09.2012 16:13
> > > > Тема: Re: [Users] Fatal error during migration
> > > >
> > > >
> > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:
> > > >
> > > > > Michal Skrivanek <michal.skrivanek at redhat.com> написано
> > > > > 20.09.
> > 201216:02:11:
> > > > >
> > > > > > От: Michal Skrivanek <michal.skrivanek at redhat.com>
> > > > > > Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> > > > > > Копия: users at ovirt.org
> > > > > > Дата: 20.09.2012 16:02
> > > > > > Тема: Re: [Users] Fatal error during migration
> > > > > >
> > > > > > Hi,
> > > > > > well, so what is the other side saying? Maybe some
> > > > > > connectivity
> > > > > > problems between those 2 hosts? firewall?
> > > > > >
> > > > > > Thanks,
> > > > > > michal
> > > > >
> > > > > Yes, firewall is not configured properly by default. If I
> > > > > stop it,
> > > > migration done.
> > > > > Thanks.
> > > > The default is supposed to be:
> > > >
> > > > # oVirt default firewall configuration. Automatically generated
> > > > by
> > > > vdsm bootstrap script.
> > > > *filter
> > > > :INPUT ACCEPT [0:0]
> > > > :FORWARD ACCEPT [0:0]
> > > > :OUTPUT ACCEPT [0:0]
> > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > > -A INPUT -p icmp -j ACCEPT
> > > > -A INPUT -i lo -j ACCEPT
> > > > # vdsm
> > > > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > > > # libvirt tls
> > > > -A INPUT -p tcp --dport 16514 -j ACCEPT
> > > > # SSH
> > > > -A INPUT -p tcp --dport 22 -j ACCEPT
> > > > # guest consoles
> > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> > > > # migration
> > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
> > > > # snmp
> > > > -A INPUT -p udp --dport 161 -j ACCEPT
> > > > # Reject any other input traffic
> > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> > > > --reject-with
> > > > icmp-host-prohibited
> > > > COMMIT
> > >
> > > my default is:
> > >
> > > # cat /etc/sysconfig/iptables
> > > # oVirt automatically generated firewall configuration
> > > *filter
> > > :INPUT ACCEPT [0:0]
> > > :FORWARD ACCEPT [0:0]
> > > :OUTPUT ACCEPT [0:0]
> > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > -A INPUT -p icmp -j ACCEPT
> > > -A INPUT -i lo -j ACCEPT
> > > #vdsm
> > > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > > # SSH
> > > -A INPUT -p tcp --dport 22 -j ACCEPT
> > > # guest consoles
> > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> > > # migration
> > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
> > > # snmp
> > > -A INPUT -p udp --dport 161 -j ACCEPT
> > > #
> > > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-
> > with icmp-host-prohibited
> > > COMMIT
> > >
> > > >
> > > > did you change it manually or is the default missing anything?
> > >
> > > default missing "libvirt tls" field.
> > was it an upgrade of some sort?
> No.

> > These are installed at node setup
> > from ovirt-engine. Check the engine version and/or the
> > IPTablesConfig in vdc_options table on engine

> oVirt engine version: 3.1.0-2.fc17

> engine=# select * from vdc_options where option_id=100;
> option_id | option_name | option_value | version
> -----------+----------------+-------------------------------------------------------------------------------------------+---------
> 100 | IPTablesConfig | # oVirt default firewall configuration.
> Automatically generated by vdsm bootstrap script.+| general
> | | *filter +|
> | | :INPUT ACCEPT [0:0] +|
> | | :FORWARD ACCEPT [0:0] +|
> | | :OUTPUT ACCEPT [0:0] +|
> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
> | | -A INPUT -p icmp -j ACCEPT +|
> | | -A INPUT -i lo -j ACCEPT +|
> | | # vdsm +|
> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
> | | # libvirt tls +|
> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
> | | # SSH +|
> | | -A INPUT -p tcp --dport 22 -j ACCEPT +|
> | | # guest consoles +|
> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +|
> | | # migration +|
> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +|
> | | # snmp +|
> | | -A INPUT -p udp --dport 161 -j ACCEPT +|
> | | # Reject any other input traffic +|
> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> | | --reject-with icmp-host-prohibited+|
> | | COMMIT +|
> | | |

> IPTablesConfig is right.

> When I add my nodes to engine, I just approve it. I don't have an
> "Automatically configure host firewall" option.

(Added Mike Burns) 

Right. 
This is the diff between ovirt node and Fedora based node. 
In oVirt node we expect the FW to have all relevant settings. 

Mike, do we have these ports opened in the node? 
Was it changed? 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20120920/025267e8/attachment-0001.html>

More information about the Users mailing list