Re: [Users] Fatal error during migration

------=_Part_2580874_305634799.1348137988889 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ----- Original Message -----

From: "Dmitriy A Pyryakov" <DPyryakov@ekb.beeline.ru> To: "Michal Skrivanek" <michal.skrivanek@redhat.com> Cc: users@ovirt.org Sent: Thursday, September 20, 2012 1:34:46 PM Subject: Re: [Users] Fatal error during migration

Michal Skrivanek <michal.skrivanek@redhat.com> =D0=BD=D0=B0=D0=BF=D0=B8= =D1=81=D0=B0=D0=BD=D0=BE 20.09.2012 16:23:31:

...

=D0=9E=D1=82: Michal Skrivanek <michal.skrivanek@redhat.com> =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru> =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users@ovirt.org =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:24 =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during migration

On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:

...

Michal Skrivanek <michal.skrivanek@redhat.com> =D0=BD=D0=B0=D0=BF=D0= =B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.201216:13:16:

...

=D0=9E=D1=82: Michal Skrivanek <michal.skrivanek@redhat.com> =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <DPyryakov@ekb.beeline= .ru> =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users@ovirt.org =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:13 =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during migration

On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:

...

Michal Skrivanek <michal.skrivanek@redhat.com> =D0=BD=D0=B0=D0=BF= =D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09. 201216:02:11:

...

=D0=9E=D1=82: Michal Skrivanek <michal.skrivanek@redhat.com> =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <DPyryakov@ekb.bee= line.ru> =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users@ovirt.org =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:02 =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during migrat= ion

Hi, well, so what is the other side saying? Maybe some connectivity problems between those 2 hosts? firewall?

Thanks, michal

Yes, firewall is not configured properly by default. If I stop it, migration done. Thanks. The default is supposed to be:

# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # vdsm -A INPUT -p tcp --dport 54321 -j ACCEPT # libvirt tls -A INPUT -p tcp --dport 16514 -j ACCEPT # SSH -A INPUT -p tcp --dport 22 -j ACCEPT # guest consoles -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT # snmp -A INPUT -p udp --dport 161 -j ACCEPT # Reject any other input traffic -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited COMMIT

my default is:

# cat /etc/sysconfig/iptables # oVirt automatically generated firewall configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT #vdsm -A INPUT -p tcp --dport 54321 -j ACCEPT # SSH -A INPUT -p tcp --dport 22 -j ACCEPT # guest consoles -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT # snmp -A INPUT -p udp --dport 161 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject- with icmp-host-prohibited COMMIT

...

did you change it manually or is the default missing anything?

default missing "libvirt tls" field. was it an upgrade of some sort? No.

...

These are installed at node setup from ovirt-engine. Check the engine version and/or the IPTablesConfig in vdc_options table on engine

oVirt engine version: 3.1.0-2.fc17

engine=3D# select * from vdc_options where option_id=3D100; option_id | option_name | option_value | version -----------+----------------+--------------------------------------------= -----------------------------------------------+--------- 100 | IPTablesConfig | # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.+| general | | *filter +| | | :INPUT ACCEPT [0:0] +| | | :FORWARD ACCEPT [0:0] +| | | :OUTPUT ACCEPT [0:0] +| | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +| | | -A INPUT -p icmp -j ACCEPT +| | | -A INPUT -i lo -j ACCEPT +| | | # vdsm +| | | -A INPUT -p tcp --dport 54321 -j ACCEPT +| | | # libvirt tls +| | | -A INPUT -p tcp --dport 16514 -j ACCEPT +| | | # SSH +| | | -A INPUT -p tcp --dport 22 -j ACCEPT +| | | # guest consoles +| | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +| | | # migration +| | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +| | | # snmp +| | | -A INPUT -p udp --dport 161 -j ACCEPT +| | | # Reject any other input traffic +| | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +| | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT | | --reject-with icmp-host-prohibited+| | | COMMIT +| | | |

IPTablesConfig is right.

When I add my nodes to engine, I just approve it. I don't have an "Automatically configure host firewall" option.

(Added Mike Burns)=20 Right.=20 This is the diff between ovirt node and Fedora based node.=20 In oVirt node we expect the FW to have all relevant settings.=20 Mike, do we have these ports opened in the node?=20 Was it changed?=20 ------=_Part_2580874_305634799.1348137988889 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable <html><head><style type=3D'text/css'>p { margin: 0; }</style></head><body><= div style=3D'font-family: times new roman,new york,times,serif; font-size: = 12pt; color: #000000'><hr id=3D"zwchr"><blockquote style=3D"border-left:2px= solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-we= ight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Ar= ial,sans-serif;font-size:12pt;"><b>From: </b>"Dmitriy A Pyryakov" <DPyry= akov@ekb.beeline.ru><br><b>To: </b>"Michal Skrivanek" <michal.skrivan= ek@redhat.com><br><b>Cc: </b>users@ovirt.org<br><b>Sent: </b>Thursday, S= eptember 20, 2012 1:34:46 PM<br><b>Subject: </b>Re: [Users] Fatal error dur= ing migration<br><br> <p id=3D"DWT6425"><tt><font size=3D"2">Michal Skrivanek <michal.skrivane= k@redhat.com> =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.201= 2 16:23:31:<br> <br> > =D0=9E=D1=82: Michal Skrivanek <michal.skrivanek@redhat.com></fo= nt></tt><br> <tt><font size=3D"2">> =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <= DPyryakov@ekb.beeline.ru></font></tt><br> <tt><font size=3D"2">> =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users@ovirt.org</= font></tt><br> <tt><font size=3D"2">> =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:24</font>= </tt><br> <tt><font size=3D"2">> =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error= during migration</font></tt><br> <tt><font size=3D"2">> <br> > <br> > On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:<br> > <br> > > Michal Skrivanek <michal.skrivanek@redhat.com> =D0=BD=D0=B0= =D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.201216:13:16:<br> > > <br> > > > =D0=9E=D1=82: Michal Skrivanek <michal.skrivanek@redhat.c= om><br> > > > =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <DPyryakov@e= kb.beeline.ru><br> > > > =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users@ovirt.org<br> > > > =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:13<br> > > > =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error during mig= ration<br> > > > <br> > > > <br> > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:<br> > > > <br> > > > > Michal Skrivanek <michal.skrivanek@redhat.com> = =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE 20.09.<br> > 201216:02:11:<br> > > > > <br> > > > > > =D0=9E=D1=82: Michal Skrivanek <michal.skrivane= k@redhat.com><br> > > > > > =D0=9A=D0=BE=D0=BC=D1=83: Dmitriy A Pyryakov <D= Pyryakov@ekb.beeline.ru><br> > > > > > =D0=9A=D0=BE=D0=BF=D0=B8=D1=8F: users@ovirt.org<br=

> > > > > =D0=94=D0=B0=D1=82=D0=B0: 20.09.2012 16:02<br> > > > > > =D0=A2=D0=B5=D0=BC=D0=B0: Re: [Users] Fatal error = during migration<br> > > > > > <br> > > > > > Hi,<br> > > > > > well, so what is the other side saying? Maybe some= connectivity <br> > > > > > problems between those 2 hosts? firewall? <br> > > > > > <br> > > > > > Thanks,<br> > > > > > michal<br> > > > > <br> > > > > Yes, firewall is not configured properly by default. If= I stop it,<br> > > > migration done.<br> > > > > Thanks.<br> > > > The default is supposed to be:<br> > > > <br> > > > # oVirt default firewall configuration. Automatically genera= ted by <br> > > > vdsm bootstrap script.<br> > > > *filter<br> > > > :INPUT ACCEPT [0:0]<br> > > > :FORWARD ACCEPT [0:0]<br> > > > :OUTPUT ACCEPT [0:0]<br> > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br> > > > -A INPUT -p icmp -j ACCEPT<br> > > > -A INPUT -i lo -j ACCEPT<br> > > > # vdsm<br> > > > -A INPUT -p tcp --dport 54321 -j ACCEPT<br> > > > # libvirt tls<br> > > > -A INPUT -p tcp --dport 16514 -j ACCEPT<br> > > > # SSH<br> > > > -A INPUT -p tcp --dport 22 -j ACCEPT<br> > > > # guest consoles<br> > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT<br=

> > > # migration<br> > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT<= br> > > > # snmp<br> > > > -A INPUT -p udp --dport 161 -j ACCEPT<br> > > > # Reject any other input traffic<br> > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited<br> > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --rej= ect-with<br> > > > icmp-host-prohibited<br> > > > COMMIT<br> > > <br> > > my default is:<br> > > <br> > > # cat /etc/sysconfig/iptables<br> > > # oVirt automatically generated firewall configuration<br> > > *filter<br> > > :INPUT ACCEPT [0:0]<br> > > :FORWARD ACCEPT [0:0]<br> > > :OUTPUT ACCEPT [0:0]<br> > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br> > > -A INPUT -p icmp -j ACCEPT<br> > > -A INPUT -i lo -j ACCEPT<br> > > #vdsm<br> > > -A INPUT -p tcp --dport 54321 -j ACCEPT<br> > > # SSH<br> > > -A INPUT -p tcp --dport 22 -j ACCEPT<br> > > # guest consoles<br> > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT<br> > > # migration<br> > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT<br> > > # snmp<br> > > -A INPUT -p udp --dport 161 -j ACCEPT<br> > > #<br> > > -A INPUT -j REJECT --reject-with icmp-host-prohibited<br> > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-<= br> > with icmp-host-prohibited<br> > > COMMIT<br> > > <br> > > > <br> > > > did you change it manually or is the default missing anythin= g?<br> > > <br> > > default missing "libvirt tls" field.<br> > was it an upgrade of some sort?</font></tt><br> <tt><font size=3D"2">No.</font></tt><br> <br> <tt><font size=3D"2">> These are installed at node setup <br> > from ovirt-engine. Check the engine version and/or the <br> > IPTablesConfig in vdc_options table on engine<br> </font></tt><br> <tt><font size=3D"2">oVirt engine version: 3.1.0-2.fc17</font></tt><br> <br> <tt><font size=3D"2">engine=3D# select * from vdc_options where option_id= =3D100;</font></tt><br> <tt><font size=3D"2"> option_id | option_name | = option_value | version= </font></tt><br> <tt><font size=3D"2">-----------+----------------+-------------------------= ------------------------------------------------------------------+--------= -</font></tt><br> <tt><font size=3D"2"> 100 | IPTablesConfig | # oVirt default firewall= configuration. Automatically generated by vdsm bootstrap script.+| general= </font></tt><br> <tt><font size=3D"2"> | | *filter = +|</font><= /tt><br> <tt><font size=3D"2"> | | :INPUT ACCEPT [0:0] = +|</font><= /tt><br> <tt><font size=3D"2"> | | :FORWARD ACCEPT [0:0] = +|</font><= /tt><br> <tt><font size=3D"2"> | | :OUTPUT ACCEPT [0:0] = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -m state --stat= e ESTABLISHED,RELATED -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p icmp -j ACCE= PT +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -i lo -j ACCEPT= +|</font><= /tt><br> <tt><font size=3D"2"> | | # vdsm = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p tcp --dport = 54321 -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | # libvirt tls = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p tcp --dport = 16514 -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | # SSH = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p tcp --dport = 22 -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | # guest consoles = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p tcp -m multi= port --dports 5634:6166 -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | # migration = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p tcp -m multi= port --dports 49152:49216 -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | # snmp = +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -p udp --dport = 161 -j ACCEPT +|</font><= /tt><br> <tt><font size=3D"2"> | | # Reject any other input= traffic +|</font><= /tt><br> <tt><font size=3D"2"> | | -A INPUT -j REJECT --rej= ect-with icmp-host-prohibited +|</font><= /tt><br> <tt><font size=3D"2"> | | -A FORWARD -m physdev ! = --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited+|</font><= /tt><br> <tt><font size=3D"2"> | | COMMIT = +|</font><= /tt><br> <tt><font size=3D"2"> | | = |</font><= /tt><br> <br> <tt><font size=3D"2">IPTablesConfig is right.</font></tt><br> <br> <tt><font size=3D"2">When I add my nodes to engine, I just approve it. I do= n't have an "Automatically configure host firewall" option.</font></tt><br> <tt><font size=3D"2"></font></tt><br></p></blockquote>(Added Mike Burns)<br=

<blockquote style=3D"border-left: 2px solid rgb(16, 16, 255); margin-left:= 5px; padding-left: 5px; color: rgb(0, 0, 0); font-weight: normal; font-sty= le: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif;= font-size: 12pt;"><p></p></blockquote>Right.<br>This is the diff between o= virt node and Fedora based node.<br>In oVirt node we expect the FW to have = all relevant settings.<br><br>Mike, do we have these ports opened in the no= de? <br>Was it changed?<br></div></body></html> ------=_Part_2580874_305634799.1348137988889--