On Tue, Jan 15, 2013 at 2:22 PM, Yaniv Kaul wrote:
iptables?

engine was configured asking to set up / override iptables, so I thought it had to be ok.

...
oVirt Engine will be installed using the following configuration:
=================================================================
override-httpd-config:         yes
http-port:                     80
https-port:                    443
host-fqdn:                     f18engine.Xxxxt
auth-pass:                     ********
org-name:                      YYYYY
default-dc-type:               ISCSI
db-remote-install:             local
db-local-pass:                 ********
nfs-mp:                        /ISO
config-nfs:                    yes
override-iptables:             yes
Proceed with the configuration listed above? (yes|no): yes
...
Configuring Firewall (iptables)...                       [ DONE ]
...

In engine setup log file:

...
2013-01-12 15:00:38::DEBUG::engine-setup::886::root:: configuring iptables
2013-01-12 15:00:38::DEBUG::engine-setup::917::root:: # Generated by ovirt-engine installer
#filtering rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
#drop all rule
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

2013-01-12 15:00:38::DEBUG::common_utils::699::root:: successfully copied file /etc/ovirt-engine/iptables.example to target destination /etc/sysconfig/iptables
2013-01-12 15:00:38::DEBUG::common_utils::707::root:: setting file /etc/sysconfig/iptables uid/gid ownership
2013-01-12 15:00:38::DEBUG::common_utils::710::root:: setting file /etc/sysconfig/iptables mode to -1
2013-01-12 15:00:38::DEBUG::engine-setup::932::root:: Restarting the iptables service
2013-01-12 15:00:38::DEBUG::common_utils::1208::root:: stopping iptables
2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action iptables on service stop
2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/service iptables stop'
2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = 
2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting to /bin/systemctl stop  iptables.service

2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0
2013-01-12 15:00:38::DEBUG::common_utils::1198::root:: starting iptables
2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action iptables on service start
2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/service iptables start'
2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = 
2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting to /bin/systemctl start  iptables.service

2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0
2013-01-12 15:00:38::DEBUG::setup_sequences::59::root:: running _startEngine
...



BTW: I have a similar problem with an all-in-one f18 + ovirt nightly setup running as a VM 

after engine-upgrade to 3.2.0-1.20130115.git2970f58

I'm not able to reach webadmin portal from the host but only if for example I run firefox from inside the engine itself exporting DISPAY env var.

What would be the config expected for an f18 engine?


In my case:

1) engine standalone as physical server
It seems I have
firewalld enabled
iptables disabled
ip6tables disabled
ebtables ?

but setup should have enabled it from the optionschosen.... but I don't see it in logfile, while I see

 2013-01-12 15:00:38::DEBUG::engine-setup::1567::root:: using chkconfig to enable engine to load on system startup.
2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command --> '/sbin/chkconfig ovirt-engine on'
2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output = 
2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Note: Forwarding request to 'systemctl enable ovirt-engine.service'.
ln -s '/usr/lib/systemd/system/ovirt-engine.service' '/etc/systemd/system/multi-user.target.wants/ovirt-engine.service'

So could it be a bug not enabling iptables during engine-setup???

At this moment my situation:
# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
 Active: active (running) since Tue, 2013-01-15 13:38:40 CET; 1h 17min ago
Main PID: 469 (firewalld)
 CGroup: name=systemd:/system/firewalld.service
 └ 469 /usr/bin/python -Es /usr/sbin/firewalld --nofork

Jan 15 13:38:40 f18engine systemd[1]: Started firewalld - dynamic firewall daemon.

# systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
 Active: inactive (dead)
 CGroup: name=systemd:/system/iptables.service


# systemctl status ip6tables.service
ip6tables.service - IPv6 firewall with ip6tables
 Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
 Active: inactive (dead)
 CGroup: name=systemd:/system/ip6tables.service


# systemctl status ebtables.service
ebtables.service - SYSV: Ethernet Bridge filtering tables
 Loaded: loaded (/etc/rc.d/init.d/ebtables)
 Active: inactive (dead)
 CGroup: name=systemd:/system/ebtables.service

# systemctl show ebtables.service| grep onflict
Conflicts=shutdown.target
ConflictedBy=firewalld.service

so there is a problem between ebtables and firewalld (but perhaps this service has to run only on hypervisor and not engine?)


2) engine configured as an all-in-one in a vm

[g.cecchi@f18aio ~]$ sudo systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
 Active: inactive (dead)
 CGroup: name=systemd:/system/firewalld.service

[g.cecchi@f18aio ~]$ sudo systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
 Active: active (exited) since Tue, 2013-01-15 14:42:46 CET; 18min ago
Process: 31480 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
Process: 31523 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 CGroup: name=systemd:/system/iptables.service

Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Starting IPv4 firewall with iptables...
Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: iptables: Applying firewall rules: WARNING: The state match is ob...tead.
Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: [  OK  ]
Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Started IPv4 firewall with iptables.

[g.cecchi@f18aio ~]$ sudo systemctl status ip6tables.service
ip6tables.service - IPv6 firewall with ip6tables
 Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
 Active: inactive (dead)
 CGroup: name=systemd:/system/ip6tables.service

[g.cecchi@f18aio ~]$ sudo systemctl status ebtables.service
ebtables.service - SYSV: Ethernet Bridge filtering tables
 Loaded: loaded (/etc/rc.d/init.d/ebtables)
 Active: inactive (dead)
 CGroup: name=systemd:/system/ebtables.service

Gianluca