Re: [Users] Fatal error during migration

Friday, 21 September 2012

Well,looks like 16514 is not open on node. I guess it should,tls migration is new in
3.1,isn't it?

On 20 Sep 2012, at 15:25, Mike Burns <mburns(a)redhat.com&gt; wrote:

...
 On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote:
> 
> ______________________________________________________________________
>        From: "Dmitriy A Pyryakov" <DPyryakov(a)ekb.beeline.ru&gt;
>        To: "Michal Skrivanek" <michal.skrivanek(a)redhat.com&gt;
>        Cc: users(a)ovirt.org
>        Sent: Thursday, September 20, 2012 1:34:46 PM
>        Subject: Re: [Users] Fatal error during migration
> 
> 
> 
>        Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; написано
>        20.09.2012 16:23:31:
> 
>> От: Michal Skrivanek <michal.skrivanek(a)redhat.com&gt;
>> Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru&gt;
>> Копия: users(a)ovirt.org
>> Дата: 20.09.2012 16:24
>> Тема: Re: [Users] Fatal error during migration
>> 
>> 
>> On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:
>> 
>>> Michal Skrivanek <michal.skrivanek(a)redhat.com&gt; написано
>        20.09.201216:13:16:
>>> 
>>>> От: Michal Skrivanek <michal.skrivanek(a)redhat.com&gt;
>>>> Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru&gt;
>>>> Копия: users(a)ovirt.org
>>>> Дата: 20.09.2012 16:13
>>>> Тема: Re: [Users] Fatal error during migration
>>>> 
>>>> 
>>>> On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:
>>>> 
>>>>> Michal Skrivanek <michal.skrivanek(a)redhat.com&gt;
>        написано 20.09.
>> 201216:02:11:
>>>>> 
>>>>>> От: Michal Skrivanek <michal.skrivanek(a)redhat.com&gt;
>>>>>> Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru&gt;
>>>>>> Копия: users(a)ovirt.org
>>>>>> Дата: 20.09.2012 16:02
>>>>>> Тема: Re: [Users] Fatal error during migration
>>>>>> 
>>>>>> Hi,
>>>>>> well, so what is the other side saying? Maybe some
>        connectivity 
>>>>>> problems between those 2 hosts? firewall? 
>>>>>> 
>>>>>> Thanks,
>>>>>> michal
>>>>> 
>>>>> Yes, firewall is not configured properly by default.
>        If I stop it,
>>>> migration done.
>>>>> Thanks.
>>>> The default is supposed to be:
>>>> 
>>>> # oVirt default firewall configuration. Automatically
>        generated by 
>>>> vdsm bootstrap script.
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>> -A INPUT -p icmp -j ACCEPT
>>>> -A INPUT -i lo -j ACCEPT
>>>> # vdsm
>>>> -A INPUT -p tcp --dport 54321 -j ACCEPT
>>>> # libvirt tls
>>>> -A INPUT -p tcp --dport 16514 -j ACCEPT
>>>> # SSH
>>>> -A INPUT -p tcp --dport 22 -j ACCEPT
>>>> # guest consoles
>>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j
>        ACCEPT
>>>> # migration
>>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j
>        ACCEPT
>>>> # snmp
>>>> -A INPUT -p udp --dport 161 -j ACCEPT
>>>> # Reject any other input traffic
>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
>        --reject-with
>>>> icmp-host-prohibited
>>>> COMMIT
>>> 
>>> my default is:
>>> 
>>> # cat /etc/sysconfig/iptables
>>> # oVirt automatically generated firewall configuration
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> -A INPUT -p icmp -j ACCEPT
>>> -A INPUT -i lo -j ACCEPT
>>> #vdsm
>>> -A INPUT -p tcp --dport 54321 -j ACCEPT
>>> # SSH
>>> -A INPUT -p tcp --dport 22 -j ACCEPT
>>> # guest consoles
>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
>>> # migration
>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j
>        ACCEPT
>>> # snmp
>>> -A INPUT -p udp --dport 161 -j ACCEPT
>>> #
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
>        --reject-
>> with icmp-host-prohibited
>>> COMMIT
>>> 
>>>> 
>>>> did you change it manually or is the default missing
>        anything?
>>> 
>>> default missing "libvirt tls" field.
>> was it an upgrade of some sort?
>        No.
> 
>> These are installed at node setup 
>> from ovirt-engine. Check the engine version and/or the 
>> IPTablesConfig in vdc_options table on engine
> 
>        oVirt engine version: 3.1.0-2.fc17
> 
>        engine=# select * from vdc_options where option_id=100;
>        option_id | option_name | option_value | version
>       
-----------+----------------+-------------------------------------------------------------------------------------------+---------
>        100 | IPTablesConfig | # oVirt default firewall configuration.
>        Automatically generated by vdsm bootstrap script.+| general
>        | | *filter +|
>        | | :INPUT ACCEPT [0:0] +|
>        | | :FORWARD ACCEPT [0:0] +|
>        | | :OUTPUT ACCEPT [0:0] +|
>        | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
>        | | -A INPUT -p icmp -j ACCEPT +|
>        | | -A INPUT -i lo -j ACCEPT +|
>        | | # vdsm +|
>        | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
>        | | # libvirt tls +|
>        | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
>        | | # SSH +|
>        | | -A INPUT -p tcp --dport 22 -j ACCEPT +|
>        | | # guest consoles +|
>        | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
>        +|
>        | | # migration +|
>        | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j
>        ACCEPT +|
>        | | # snmp +|
>        | | -A INPUT -p udp --dport 161 -j ACCEPT +|
>        | | # Reject any other input traffic +|
>        | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
>        | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
>        --reject-with icmp-host-prohibited+|
>        | | COMMIT +|
>        | | |
> 
>        IPTablesConfig is right.
> 
>        When I add my nodes to engine, I just approve it. I don't have
>        an "Automatically configure host firewall" option.
> 
> 
> 
> (Added Mike Burns)
> Right.
> This is the diff between ovirt node and Fedora based node.
> In oVirt node we expect the FW to have all relevant settings.
> 
> Mike, do we have these ports opened in the node? 
> Was it changed?

 Yes, the ports are open and no, it hasn't changed in a long time:

 cat > /etc/sysconfig/iptables << \EOF
 # oVirt automatically generated firewall configuration
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 #vdsm
 -A INPUT -p tcp --dport 54321 -j ACCEPT
 # SSH
 -A INPUT -p tcp --dport 22 -j ACCEPT
 # guest consoles
 -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
 # migration
 -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
 # snmp
 -A INPUT -p udp --dport 161 -j ACCEPT
 #
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
 icmp-host-prohibited
 COMMIT
 EOF

> 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [Users] Fatal error during migration