On Tue, Jan 15, 2013 at 2:22 PM, Yaniv Kaul wrote:
iptables?
engine was configured asking to set up / override iptables, so I thought it had to be ok. ... oVirt Engine will be installed using the following configuration: ================================================================= override-httpd-config: yes http-port: 80 https-port: 443 host-fqdn: f18engine.Xxxxt auth-pass: ******** org-name: YYYYY default-dc-type: ISCSI db-remote-install: local db-local-pass: ******** nfs-mp: /ISO config-nfs: yes override-iptables: yes Proceed with the configuration listed above? (yes|no): yes ... Configuring Firewall (iptables)... [ DONE ] ... In engine setup log file: ... 2013-01-12 15:00:38::DEBUG::engine-setup::886::root:: configuring iptables 2013-01-12 15:00:38::DEBUG::engine-setup::917::root:: # Generated by ovirt-engine installer #filtering rules *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT #drop all rule -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT 2013-01-12 15:00:38::DEBUG::common_utils::699::root:: successfully copied file /etc/ovirt-engine/iptables.example to target destination /etc/sysconfig/iptables 2013-01-12 15:00:38::DEBUG::common_utils::707::root:: setting file /etc/sysconfig/iptables uid/gid ownership 2013-01-12 15:00:38::DEBUG::common_utils::710::root:: setting file /etc/sysconfig/iptables mode to -1 2013-01-12 15:00:38::DEBUG::engine-setup::932::root:: Restarting the iptables service 2013-01-12 15:00:38::DEBUG::common_utils::1208::root:: stopping iptables 2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action iptables on service stop 2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/service iptables stop' 2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = 2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting to /bin/systemctl stop iptables.service 2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0 2013-01-12 15:00:38::DEBUG::common_utils::1198::root:: starting iptables 2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action iptables on service start 2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/service iptables start' 2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = 2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting to /bin/systemctl start iptables.service 2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0 2013-01-12 15:00:38::DEBUG::setup_sequences::59::root:: running _startEngine ... BTW: I have a similar problem with an all-in-one f18 + ovirt nightly setup running as a VM after engine-upgrade to 3.2.0-1.20130115.git2970f58 I'm not able to reach webadmin portal from the host but only if for example I run firefox from inside the engine itself exporting DISPAY env var. What would be the config expected for an f18 engine? In my case: 1) engine standalone as physical server It seems I have firewalld enabled iptables disabled ip6tables disabled ebtables ? but setup should have enabled it from the optionschosen.... but I don't see it in logfile, while I see 2013-01-12 15:00:38::DEBUG::engine-setup::1567::root:: using chkconfig to enable engine to load on system startup. 2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/chkconfig ovirt-engine on' 2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = 2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Note: Forwarding request to 'systemctl enable ovirt-engine.service'. ln -s '/usr/lib/systemd/system/ovirt-engine.service' '/etc/systemd/system/multi-user.target.wants/ovirt-engine.service' So could it be a bug not enabling iptables during engine-setup??? At this moment my situation: # systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Tue, 2013-01-15 13:38:40 CET; 1h 17min ago Main PID: 469 (firewalld) CGroup: name=systemd:/system/firewalld.service └ 469 /usr/bin/python -Es /usr/sbin/firewalld --nofork Jan 15 13:38:40 f18engine systemd[1]: Started firewalld - dynamic firewall daemon. # systemctl status iptables.service iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/iptables.service # systemctl status ip6tables.service ip6tables.service - IPv6 firewall with ip6tables Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/ip6tables.service # systemctl status ebtables.service ebtables.service - SYSV: Ethernet Bridge filtering tables Loaded: loaded (/etc/rc.d/init.d/ebtables) Active: inactive (dead) CGroup: name=systemd:/system/ebtables.service # systemctl show ebtables.service| grep onflict Conflicts=shutdown.target ConflictedBy=firewalld.service so there is a problem between ebtables and firewalld (but perhaps this service has to run only on hypervisor and not engine?) 2) engine configured as an all-in-one in a vm [g.cecchi@f18aio ~]$ sudo systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/firewalld.service [g.cecchi@f18aio ~]$ sudo systemctl status iptables.service iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled) Active: active (exited) since Tue, 2013-01-15 14:42:46 CET; 18min ago Process: 31480 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS) Process: 31523 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/iptables.service Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Starting IPv4 firewall with iptables... Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: iptables: Applying firewall rules: WARNING: The state match is ob...tead. Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: [ OK ] Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Started IPv4 firewall with iptables. [g.cecchi@f18aio ~]$ sudo systemctl status ip6tables.service ip6tables.service - IPv6 firewall with ip6tables Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled) Active: inactive (dead) CGroup: name=systemd:/system/ip6tables.service [g.cecchi@f18aio ~]$ sudo systemctl status ebtables.service ebtables.service - SYSV: Ethernet Bridge filtering tables Loaded: loaded (/etc/rc.d/init.d/ebtables) Active: inactive (dead) CGroup: name=systemd:/system/ebtables.service Gianluca