Re: [Users] Fatal error during migration

______________________________________________________________________ From: "Dmitriy A Pyryakov" <DPyryakov(a)ekb.beeline.ru&gt; To: "Michal Skrivanek" <michal.skrivanek(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Thursday, September 20, 2012 1:34:46 PM Subject: Re: [Users] Fatal error during migration Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; написано 20.09.2012 16:23:31: > От: Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; > Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru&gt; > Копия: users(a)ovirt.org > Дата: 20.09.2012 16:24 > Тема: Re: [Users] Fatal error during migration > On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote: > > Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; написано 20.09.201216:13:16: > > > > От: Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; > > > Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru&gt; > > > Копия: users(a)ovirt.org > > > Дата: 20.09.2012 16:13 > > > Тема: Re: [Users] Fatal error during migration > > > > > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote: > > > > > > Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; написано 20.09. > 201216:02:11: > > > > > > > > От: Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; > > > > > Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru&gt; > > > > > Копия: users(a)ovirt.org > > > > > Дата: 20.09.2012 16:02 > > > > > Тема: Re: [Users] Fatal error during migration > > > > > > > > > Hi, > > > > > well, so what is the other side saying? Maybe some connectivity > > > > > problems between those 2 hosts? firewall? > > > > > > > > > Thanks, > > > > > michal > > > > > > > Yes, firewall is not configured properly by default. If I stop it, > > > migration done. > > > > Thanks. > > > The default is supposed to be: > > > > > # oVirt default firewall configuration. Automatically generated by > > > vdsm bootstrap script. > > > *filter > > > :INPUT ACCEPT [0:0] > > > :FORWARD ACCEPT [0:0] > > > :OUTPUT ACCEPT [0:0] > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > -A INPUT -p icmp -j ACCEPT > > > -A INPUT -i lo -j ACCEPT > > > # vdsm > > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > > # libvirt tls > > > -A INPUT -p tcp --dport 16514 -j ACCEPT > > > # SSH > > > -A INPUT -p tcp --dport 22 -j ACCEPT > > > # guest consoles > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > > > # migration > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT > > > # snmp > > > -A INPUT -p udp --dport 161 -j ACCEPT > > > # Reject any other input traffic > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with > > > icmp-host-prohibited > > > COMMIT > > > my default is: > > > # cat /etc/sysconfig/iptables > > # oVirt automatically generated firewall configuration > > *filter > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > -A INPUT -p icmp -j ACCEPT > > -A INPUT -i lo -j ACCEPT > > #vdsm > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > # SSH > > -A INPUT -p tcp --dport 22 -j ACCEPT > > # guest consoles > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > > # migration > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT > > # snmp > > -A INPUT -p udp --dport 161 -j ACCEPT > > # > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject- > with icmp-host-prohibited > > COMMIT > > > > > > did you change it manually or is the default missing anything? > > > default missing "libvirt tls" field. > was it an upgrade of some sort? No. > These are installed at node setup > from ovirt-engine. Check the engine version and/or the > IPTablesConfig in vdc_options table on engine oVirt engine version: 3.1.0-2.fc17 engine=# select * from vdc_options where option_id=100; option_id | option_name | option_value | version -----------+----------------+-------------------------------------------------------------------------------------------+--------- 100 | IPTablesConfig | # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.+| general | | *filter +| | | :INPUT ACCEPT [0:0] +| | | :FORWARD ACCEPT [0:0] +| | | :OUTPUT ACCEPT [0:0] +| | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +| | | -A INPUT -p icmp -j ACCEPT +| | | -A INPUT -i lo -j ACCEPT +| | | # vdsm +| | | -A INPUT -p tcp --dport 54321 -j ACCEPT +| | | # libvirt tls +| | | -A INPUT -p tcp --dport 16514 -j ACCEPT +| | | # SSH +| | | -A INPUT -p tcp --dport 22 -j ACCEPT +| | | # guest consoles +| | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +| | | # migration +| | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +| | | # snmp +| | | -A INPUT -p udp --dport 161 -j ACCEPT +| | | # Reject any other input traffic +| | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +| | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited+| | | COMMIT +| | | | IPTablesConfig is right. When I add my nodes to engine, I just approve it. I don't have an "Automatically configure host firewall" option. (Added Mike Burns) Right. This is the diff between ovirt node and Fedora based node. In oVirt node we expect the FW to have all relevant settings. Mike, do we have these ports opened in the node? Was it changed?