<div dir="ltr"><div class="gmail_extra">On Tue, Jan 15, 2013 at 2:22 PM, Yaniv Kaul wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
iptables?</blockquote></div><div class="gmail_extra"><br></div>engine was configured asking to set up / override iptables, so I thought it had to be ok.</div><div class="gmail_extra"><br></div><div class="gmail_extra">...</div>
<div class="gmail_extra"><div class="gmail_extra">oVirt Engine will be installed using the following configuration:</div><div class="gmail_extra">=================================================================</div><div class="gmail_extra">
override-httpd-config: yes</div><div class="gmail_extra">http-port: 80</div><div class="gmail_extra">https-port: 443</div><div class="gmail_extra">host-fqdn: f18engine.Xxxxt</div>
<div class="gmail_extra">auth-pass: ********</div><div class="gmail_extra">org-name: YYYYY</div><div class="gmail_extra">default-dc-type: ISCSI</div><div class="gmail_extra">
db-remote-install: local</div><div class="gmail_extra">db-local-pass: ********</div><div class="gmail_extra">nfs-mp: /ISO</div><div class="gmail_extra">config-nfs: yes</div>
<div class="gmail_extra">override-iptables: yes</div><div class="gmail_extra">Proceed with the configuration listed above? (yes|no): yes</div><div>...<br></div></div><div class="gmail_extra"><div class="gmail_extra">
Configuring Firewall (iptables)... [ DONE ]</div><div>...</div></div><div class="gmail_extra"><br></div><div class="gmail_extra" style>In engine setup log file:</div><div class="gmail_extra" style><br>
</div><div class="gmail_extra" style>...</div><div class="gmail_extra" style><div class="gmail_extra">2013-01-12 15:00:38::DEBUG::engine-setup::886::root:: configuring iptables</div><div class="gmail_extra">2013-01-12 15:00:38::DEBUG::engine-setup::917::root:: # Generated by ovirt-engine installer</div>
<div class="gmail_extra">#filtering rules</div><div class="gmail_extra">*filter</div><div class="gmail_extra">:INPUT ACCEPT [0:0]</div><div class="gmail_extra">:FORWARD ACCEPT [0:0]</div><div class="gmail_extra">:OUTPUT ACCEPT [0:0]</div>
<div class="gmail_extra">-A INPUT -i lo -j ACCEPT</div><div class="gmail_extra">-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT</div><div class="gmail_extra">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</div>
<div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT</div>
<div class="gmail_extra">-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT</div>
<div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT</div>
<div class="gmail_extra">-A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT</div>
<div class="gmail_extra">-A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT</div><div class="gmail_extra">-A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT</div><div class="gmail_extra">
#drop all rule</div><div class="gmail_extra">-A INPUT -j REJECT --reject-with icmp-host-prohibited</div><div class="gmail_extra">COMMIT</div><div class="gmail_extra"><br></div><div class="gmail_extra">2013-01-12 15:00:38::DEBUG::common_utils::699::root:: successfully copied file /etc/ovirt-engine/iptables.example to target destination /etc/sysconfig/iptables</div>
<div><div>2013-01-12 15:00:38::DEBUG::common_utils::707::root:: setting file /etc/sysconfig/iptables uid/gid ownership</div><div>2013-01-12 15:00:38::DEBUG::common_utils::710::root:: setting file /etc/sysconfig/iptables mode to -1</div>
<div>2013-01-12 15:00:38::DEBUG::engine-setup::932::root:: Restarting the iptables service</div><div>2013-01-12 15:00:38::DEBUG::common_utils::1208::root:: stopping iptables</div><div>2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action iptables on service stop</div>
<div>2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/service iptables stop'</div><div>2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = </div><div>2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting to /bin/systemctl stop iptables.service</div>
<div><br></div><div>2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0</div><div>2013-01-12 15:00:38::DEBUG::common_utils::1198::root:: starting iptables</div><div>2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action iptables on service start</div>
<div>2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/service iptables start'</div><div>2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = </div><div>2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting to /bin/systemctl start iptables.service</div>
<div><br></div><div>2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0</div><div>2013-01-12 15:00:38::DEBUG::setup_sequences::59::root:: running _startEngine</div></div><div>...</div><div><br></div><div><br>
</div></div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>BTW: I have a similar problem with an all-in-one f18 + ovirt nightly setup running as a VM </div><div class="gmail_extra" style><br></div>
<div class="gmail_extra" style>after engine-upgrade to 3.2.0-1.20130115.git2970f58<br></div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>I'm not able to reach webadmin portal from the host but only if for example I run firefox from inside the engine itself exporting DISPAY env var.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>What would be the config expected for an f18 engine?</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>
In my case:</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>1) engine standalone as physical server</div><div class="gmail_extra" style>It seems I have</div><div class="gmail_extra" style>firewalld enabled</div>
<div class="gmail_extra" style>iptables disabled</div><div class="gmail_extra" style>ip6tables disabled</div><div class="gmail_extra" style>ebtables ?</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>
but setup should have enabled it from the optionschosen.... but I don't see it in logfile, while I see</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style> 2013-01-12 15:00:38::DEBUG::engine-setup::1567::root:: using chkconfig to enable engine to load on system startup.</div>
<div class="gmail_extra">2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/chkconfig ovirt-engine on'</div><div class="gmail_extra">2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = </div>
<div class="gmail_extra">2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Note: Forwarding request to 'systemctl enable ovirt-engine.service'.</div><div class="gmail_extra">ln -s '/usr/lib/systemd/system/ovirt-engine.service' '/etc/systemd/system/multi-user.target.wants/ovirt-engine.service'</div>
<div><br></div><div style>So could it be a bug not enabling iptables during engine-setup???</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>At this moment my situation:</div><div class="gmail_extra" style>
<div class="gmail_extra"># systemctl status firewalld.service</div><div class="gmail_extra">firewalld.service - firewalld - dynamic firewall daemon</div><div class="gmail_extra"><span class="" style="white-space:pre">        </span> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)</div>
<div class="gmail_extra"><span class="" style="white-space:pre">        </span> Active: active (running) since Tue, 2013-01-15 13:38:40 CET; 1h 17min ago</div><div class="gmail_extra"><span class="" style="white-space:pre">        </span>Main PID: 469 (firewalld)</div>
<div class="gmail_extra"><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/firewalld.service</div><div class="gmail_extra"><span class="" style="white-space:pre">                </span> └ 469 /usr/bin/python -Es /usr/sbin/firewalld --nofork</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Jan 15 13:38:40 f18engine systemd[1]: Started firewalld - dynamic firewall daemon.</div><div><br></div><div><div># systemctl status iptables.service</div><div>iptables.service - IPv4 firewall with iptables</div>
<div><span class="" style="white-space:pre">        </span> Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)</div><div><span class="" style="white-space:pre">        </span> Active: inactive (dead)</div><div><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/iptables.service</div>
</div><div><br></div></div><div class="gmail_extra" style><br></div><div class="gmail_extra" style><div class="gmail_extra"># systemctl status ip6tables.service</div><div class="gmail_extra">ip6tables.service - IPv6 firewall with ip6tables</div>
<div class="gmail_extra"><span class="" style="white-space:pre">        </span> Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)</div><div class="gmail_extra"><span class="" style="white-space:pre">        </span> Active: inactive (dead)</div>
<div class="gmail_extra"><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/ip6tables.service</div><div><br></div></div><div class="gmail_extra" style><br></div><div class="gmail_extra" style><div class="gmail_extra">
# systemctl status ebtables.service</div><div class="gmail_extra">ebtables.service - SYSV: Ethernet Bridge filtering tables</div><div class="gmail_extra"><span class="" style="white-space:pre">        </span> Loaded: loaded (/etc/rc.d/init.d/ebtables)</div>
<div class="gmail_extra"><span class="" style="white-space:pre">        </span> Active: inactive (dead)</div><div class="gmail_extra"><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/ebtables.service</div>
<div><br></div><div><div># systemctl show ebtables.service| grep onflict</div><div>Conflicts=shutdown.target</div><div>ConflictedBy=firewalld.service</div></div><div><br></div><div style>so there is a problem between ebtables and firewalld (but perhaps this service has to run only on hypervisor and not engine?)</div>
<div style><br></div><div style><br></div><div style>2) engine configured as an all-in-one in a vm</div><div style><br></div><div style><div>[g.cecchi@f18aio ~]$ sudo systemctl status firewalld.service</div><div>firewalld.service - firewalld - dynamic firewall daemon</div>
<div><span class="" style="white-space:pre">        </span> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)</div><div><span class="" style="white-space:pre">        </span> Active: inactive (dead)</div><div><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/firewalld.service</div>
<div><br></div><div>[g.cecchi@f18aio ~]$ sudo systemctl status iptables.service</div><div>iptables.service - IPv4 firewall with iptables</div><div><span class="" style="white-space:pre">        </span> Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)</div>
<div><span class="" style="white-space:pre">        </span> Active: active (exited) since Tue, 2013-01-15 14:42:46 CET; 18min ago</div><div><span class="" style="white-space:pre">        </span> Process: 31480 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)</div>
<div><span class="" style="white-space:pre">        </span> Process: 31523 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)</div><div><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/iptables.service</div>
<div><br></div><div>Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Starting IPv4 firewall with iptables...</div><div>Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: iptables: Applying firewall rules: WARNING: The state match is ob...tead.</div>
<div>Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: [ OK ]</div><div>Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Started IPv4 firewall with iptables.</div><div><br></div><div>[g.cecchi@f18aio ~]$ sudo systemctl status ip6tables.service</div>
<div>ip6tables.service - IPv6 firewall with ip6tables</div><div><span class="" style="white-space:pre">        </span> Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)</div><div><span class="" style="white-space:pre">        </span> Active: inactive (dead)</div>
<div><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/ip6tables.service</div><div><br></div><div>[g.cecchi@f18aio ~]$ sudo systemctl status ebtables.service</div><div>ebtables.service - SYSV: Ethernet Bridge filtering tables</div>
<div><span class="" style="white-space:pre">        </span> Loaded: loaded (/etc/rc.d/init.d/ebtables)</div><div><span class="" style="white-space:pre">        </span> Active: inactive (dead)</div><div><span class="" style="white-space:pre">        </span> CGroup: name=systemd:/system/ebtables.service</div>
<div><br></div><div style>Gianluca</div></div></div></div>