1:46 p.m.
------=_Part_2580874_305634799.1348137988889
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
----- Original Message -----
<p
id=3D"DWT6425"><tt><font size=3D"2">Michal Skrivanek
<michal.skrivane=
k(a)redhat.com&gt; =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.201=
2 16:23:31:<br <br >
=D0=9E=D1=82: Michal Skrivanek &lt;michal.skrivanek(a)redhat.com&gt;</fo=
nt></tt><br <tt><font
size=3D"2">> =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <=
DPyryakov(a)ekb.beeline.ru&gt;</font></tt><br <tt><font size=3D"2">>
=D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users(a)ovirt.org</=
font></tt><br <tt><font
size=3D"2">> =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:24</font>=
</tt><br <tt><font
size=3D"2">> =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error=
during migration</font></tt><br
<tt><font size=3D"2">> <br > <br >
On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:<br >
<br > > Michal Skrivanek
&lt;michal.skrivanek(a)redhat.com&gt; =D0=BD=D0=B0=
=D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.201216:13:16:<br > > <br >
> > =D0=9E=D1=82: Michal Skrivanek &lt;michal.skrivanek(a)redhat.c=
om><br > > >
=D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <DPyryakov@e=
kb.beeline.ru><br > > >
=D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users(a)ovirt.org<br >
> > =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:13<br > > > =D0=A2=D0=B5=D0=BC=D0=B0: Re:
[Users] Fatal error during mig=
ration<br > > >
<br > > > <br >
> > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:<br > > > <br >
> > > Michal Skrivanek &lt;michal.skrivanek(a)redhat.com&gt; =
=D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.<br >
201216:02:11:<br > > > >
<br > > > > > =D0=9E=D1=82:
Michal Skrivanek <michal.skrivane=
k(a)redhat.com&gt;<br > > > >
> =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <D=
Pyryakov(a)ekb.beeline.ru&gt;<br >
> > > > =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F:
users(a)ovirt.org<br=
> > > > >
=D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:02<br >
> > > > =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error =
during migration<br > > > >
> <br > > > >
> Hi,<br > > > >
> well, so what is the other side saying? Maybe some=
connectivity <br > > > >
> problems between those 2 hosts? firewall? <br >
> > > > <br >
> > > > Thanks,<br >
> > > > michal<br >
> > > <br > > > >
Yes, firewall is not configured properly by default. If=
I stop it,<br > > > migration
done.<br > > > >
Thanks.<br > > > The
default is supposed to be:<br > > >
<br > > > # oVirt default firewall
configuration. Automatically genera=
ted by <br > > > vdsm
bootstrap script.<br > > >
*filter<br > > > :INPUT
ACCEPT [0:0]<br > > > :FORWARD
ACCEPT [0:0]<br > > > :OUTPUT
ACCEPT [0:0]<br > > > -A INPUT
-m state --state ESTABLISHED,RELATED -j ACCEPT<br >
> > -A INPUT -p icmp -j ACCEPT<br >
> > -A INPUT -i lo -j ACCEPT<br >
> > # vdsm<br > > > -A INPUT
-p tcp --dport 54321 -j ACCEPT<br >
> > # libvirt tls<br >
> > -A INPUT -p tcp --dport 16514 -j ACCEPT<br > > > # SSH<br > > > -A INPUT -p tcp --dport 22 -j
ACCEPT<br > > > # guest
consoles<br > > > -A INPUT
-p tcp -m multiport --dports 5634:6166 -j ACCEPT<br=
> > > # migration<br > > > -A INPUT -p tcp -m multiport
--dports 49152:49216 -j ACCEPT<=
br > > > # snmp<br > > > -A INPUT -p udp --dport 161 -j
ACCEPT<br > > > # Reject
any other input traffic<br > > > -A INPUT
-j REJECT --reject-with icmp-host-prohibited<br >
> > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --rej=
ect-with<br > > >
icmp-host-prohibited<br > > >
COMMIT<br > > <br > > my default is:<br > > <br >
> # cat /etc/sysconfig/iptables<br >
> # oVirt automatically generated firewall configuration<br > > *filter<br >
> :INPUT ACCEPT [0:0]<br > > :FORWARD ACCEPT
[0:0]<br > > :OUTPUT ACCEPT
[0:0]<br > > -A INPUT -m state
--state ESTABLISHED,RELATED -j ACCEPT<br >
> -A INPUT -p icmp -j ACCEPT<br >
> -A INPUT -i lo -j ACCEPT<br >
> #vdsm<br > > -A INPUT -p tcp
--dport 54321 -j ACCEPT<br > > # SSH<br > > -A INPUT -p tcp --dport 22 -j
ACCEPT<br > > # guest
consoles<br > > -A INPUT -p tcp -m
multiport --dports 5634:6166 -j ACCEPT<br >
> # migration<br > > -A INPUT -p tcp -m
multiport --dports 49152:49216 -j ACCEPT<br >
> # snmp<br > > -A INPUT -p udp
--dport 161 -j ACCEPT<br > > #<br > > -A INPUT -j REJECT --reject-with
icmp-host-prohibited<br > > -A FORWARD -m
physdev ! --physdev-is-bridged -j REJECT --reject-<=
br > with icmp-host-prohibited<br > > COMMIT<br >
> <br > > >
<br > > > did you change it manually or is the
default missing anythin=
g?<br > > <br > > default missing "libvirt tls"
field.<br > was it an upgrade of some
sort?</font></tt><br
<tt><font size=3D"2">No.</font></tt><br <br <tt><font
size=3D"2">> These are installed at node setup <br > from ovirt-engine. Check the engine version and/or the
<br > IPTablesConfig in vdc_options table on
engine<br </font></tt><br <tt><font size=3D"2">oVirt engine
version: 3.1.0-2.fc17</font></tt><br
<br <tt><font
size=3D"2">engine=3D# select * from vdc_options where option_id=
=3D100;</font></tt><br
<tt><font size=3D"2"> option_id | option_name |
=
option_value | version=
</font></tt><br <tt><font
size=3D"2">-----------+----------------+-------------------------=
------------------------------------------------------------------+--------=
-</font></tt><br <tt><font
size=3D"2"> 100 | IPTablesConfig | # oVirt default firewall=
configuration. Automatically generated by vdsm bootstrap script.+| general=
</font></tt><br <tt><font
size=3D"2"> | | *filter =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | :INPUT ACCEPT [0:0] =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | :FORWARD ACCEPT [0:0] =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | :OUTPUT ACCEPT [0:0] =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -m state --stat=
e ESTABLISHED,RELATED -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p icmp -j ACCE=
PT +|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -i lo -j ACCEPT=
+|</font><=
/tt><br <tt><font
size=3D"2"> | | # vdsm =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p tcp --dport =
54321 -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | # libvirt tls =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p tcp --dport =
16514 -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | # SSH =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p tcp --dport =
22 -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | # guest consoles =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p tcp -m multi=
port --dports 5634:6166 -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | # migration =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p tcp -m multi=
port --dports 49152:49216 -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | # snmp =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -p udp --dport =
161 -j ACCEPT +|</font><=
/tt><br <tt><font
size=3D"2"> | | # Reject any other input=
traffic +|</font><=
/tt><br <tt><font
size=3D"2"> | | -A INPUT -j REJECT --rej=
ect-with icmp-host-prohibited +|</font><=
/tt><br <tt><font
size=3D"2"> | | -A FORWARD -m physdev ! =
--physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited+|</font><=
/tt><br <tt><font
size=3D"2"> | | COMMIT =
+|</font><=
/tt><br <tt><font
size=3D"2"> | | =
|</font><=
/tt><br <br
<tt><font size=3D"2">IPTablesConfig is
right.</font></tt><br
<br <tt><font
size=3D"2">When I add my nodes to engine, I just approve it. I do=
n't have an "Automatically configure host firewall"
option.</font></tt><br
<tt><font
size=3D"2"></font></tt><br></p></blockquote>(Added
Mike Burns)<br=
------=_Part_2580874_305634799.1348137988889--
From: "Dmitriy A Pyryakov" <DPyryakov(a)ekb.beeline.ru To: "Michal Skrivanek"
<michal.skrivanek(a)redhat.com Cc: users(a)ovirt.org
Sent: Thursday, September 20, 2012 1:34:46 PM
Subject: Re: [Users] Fatal error during migration
Michal Skrivanek <michal.skrivanek(a)redhat.com>
=D0=BD=D0=B0=D0=BF=D0=B8=
=D1=81=D0=B0=D0=BD=D0=BE 20.09.2012
16:23:31:
> =D0=9E=D1=82: Michal Skrivanek
<michal.skrivanek(a)redhat.com > =D0=9A=D0=BE=D0=BC=D1=83:
Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru >
=D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users(a)ovirt.org
> =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:24
> =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during migration
> On Sep 20, 2012, at 12:19 ,
Dmitriy A Pyryakov wrote:
> > Michal Skrivanek <michal.skrivanek(a)redhat.com>
=D0=BD=D0=B0=D0=BF=D0=
=B8=D1=81=D0=B0=D0=BD=D0=BE
> > 20.09.201216:13:16:
> > > > =D0=9E=D1=82: Michal Skrivanek
<michal.skrivanek(a)redhat.com > > >
=D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline=
.ru > > >
=D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users(a)ovirt.org
> > > =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:13
> > > =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during migration
> > > > > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov
wrote:
> > > > > > Michal
Skrivanek <michal.skrivanek(a)redhat.com> =D0=BD=D0=B0=D0=BF=
=D0=B8=D1=81=D0=B0=D0=BD=D0=BE
> > > > 20.09.
> 201216:02:11:
> > > > > > > >
=D0=9E=D1=82: Michal Skrivanek <michal.skrivanek(a)redhat.com > > > > > =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A
Pyryakov <DPyryakov(a)ekb.bee=
line.ru > > > > > =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F:
users(a)ovirt.org
> > > > > =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:02
> > > > > =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during migrat=
ion
> > > > >
> > > > Hi,
> > > > > well, so what is the other side saying? Maybe some
> > > > > connectivity
> > > > > problems between those 2 hosts? firewall?
> > > > > > > > > Thanks,
> > > > > michal
> > > > > > > Yes, firewall
is not configured properly by default. If I
> > > > stop it,
> > > migration done.
> > > > Thanks.
> > > The default is supposed to be:
> > > > > # oVirt default
firewall configuration. Automatically generated
> > > by
> > > vdsm bootstrap script.
> > > *filter
> > > :INPUT ACCEPT [0:0]
> > > :FORWARD ACCEPT [0:0]
> > > :OUTPUT ACCEPT [0:0]
> > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > -A INPUT -p icmp -j ACCEPT
> > > -A INPUT -i lo -j ACCEPT
> > > # vdsm
> > > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > > # libvirt tls
> > > -A INPUT -p tcp --dport 16514 -j ACCEPT
> > > # SSH
> > > -A INPUT -p tcp --dport 22 -j ACCEPT
> > > # guest consoles
> > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> > > # migration
> > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
> > > # snmp
> > > -A INPUT -p udp --dport 161 -j ACCEPT
> > > # Reject any other input traffic
> > > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> > > --reject-with
> > > icmp-host-prohibited
> > > COMMIT
> > > my default is:
> > > # cat /etc/sysconfig/iptables
> > # oVirt automatically generated firewall configuration
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > -A INPUT -p icmp -j ACCEPT
> > -A INPUT -i lo -j ACCEPT
> > #vdsm
> > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > # SSH
> > -A INPUT -p tcp --dport 22 -j ACCEPT
> > # guest consoles
> > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> > # migration
> > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
> > # snmp
> > -A INPUT -p udp --dport 161 -j ACCEPT
> > #
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-
> with icmp-host-prohibited
> > COMMIT
> > > >
> > did you change it manually or is the default missing anything?
> > > default missing "libvirt tls" field.
> was it an upgrade of some sort?
No.
> These are installed at node setup
> from ovirt-engine. Check the engine version and/or the
> IPTablesConfig in vdc_options table on engine
oVirt engine version: 3.1.0-2.fc17
engine=3D# select * from vdc_options where option_id=3D100;
option_id | option_name | option_value | version
-----------+----------------+--------------------------------------------=
-----------------------------------------------+---------
100 | IPTablesConfig | # oVirt default firewall configuration.
Automatically generated by vdsm bootstrap script.+| general
| | *filter +|
| | :INPUT ACCEPT [0:0] +|
| | :FORWARD ACCEPT [0:0] +|
| | :OUTPUT ACCEPT [0:0] +|
| | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
| | -A INPUT -p icmp -j ACCEPT +|
| | -A INPUT -i lo -j ACCEPT +|
| | # vdsm +|
| | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
| | # libvirt tls +|
| | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
| | # SSH +|
| | -A INPUT -p tcp --dport 22 -j ACCEPT +|
| | # guest consoles +|
| | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +|
| | # migration +|
| | -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +|
| | # snmp +|
| | -A INPUT -p udp --dport 161 -j ACCEPT +|
| | # Reject any other input traffic +|
| | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
| | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
| | --reject-with icmp-host-prohibited+|
| | COMMIT +|
| | |
IPTablesConfig is right.
When I add my nodes to engine, I just approve it. I don't have
an
"Automatically configure host firewall" option.
(Added Mike Burns)=20
Right.=20
This is the diff between ovirt node and Fedora based node.=20
In oVirt node we expect the FW to have all relevant settings.=20
Mike, do we have these ports opened in the node?=20
Was it changed?=20
------=_Part_2580874_305634799.1348137988889
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><head><style type=3D'text/css'>p { margin: 0;
}</style></head><body><=
div style=3D'font-family: times new roman,new york,times,serif; font-size: =
12pt; color: #000000'><hr id=3D"zwchr"><blockquote
style=3D"border-left:2px=
solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-we=
ight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Ar=
ial,sans-serif;font-size:12pt;"><b>From: </b>"Dmitriy A
Pyryakov" <DPyry=
akov(a)ekb.beeline.ru&gt;<br><b>To: </b>"Michal Skrivanek"
<michal.skrivan=
ek(a)redhat.com&gt;<br><b>Cc:
</b>users(a)ovirt.org<br><b>Sent: </b>Thursday, S=
eptember 20, 2012 1:34:46 PM<br><b>Subject: </b>Re: [Users] Fatal error
dur=
ing migration<br><br<blockquote style=3D"border-left: 2px solid rgb(16, 16, 255);
margin-left:=
5px; padding-left: 5px; color: rgb(0, 0, 0); font-weight: normal;
font-sty=
le: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif;=
font-size: 12pt;"><p></p></blockquote>Right.<br>This is
the diff between o=
virt node and Fedora based node.<br>In oVirt node we expect the FW to have =
all relevant settings.<br><br>Mike, do we have these ports opened in the no=
de? <br>Was it changed?<br></div></body></html