Re: [Users] Fatal error during migration

21 Sep 2012

      On Fri, 2012-09-21 at 01:58 -0400, Michal Skrivanek wrote:
...
Well,looks like 16514 is not open on node. I guess it should,tls migration is new in 3.1,isn't it?
I'm surprised this wasn't caught earlier.  I've submitted a patch to add
the port to the default firewall [1].  

You can run the following command to open the firewall port manually on
ovirt-node.  

python -c 'from ovirtnode.ovirtfunctions import *; manage_firewall_port("16514","open","tcp")'

To make it work across reboots, do the following:

     1. Press F2 on the TUI to get a shell
     2. scp the attached patch file to /tmp on ovirt-node (you need to
        initiate this from ovirt-node, not from your local machine)
     3. on ovirt-node, run # mount -o remount,rw /
     4. cd /usr/libexec
     5. patch </tmp/0001*patch
     6. persist /usr/libexec/ovirt-init-functions
     7. Reboot

When the machine comes back up, you should see that port is open.

iptables -L

Mike

[1] http://gerrit.ovirt.org/8116
...
On 20 Sep 2012, at 15:25, Mike Burns <mburns@redhat.com> wrote:
...
On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote:
...
______________________________________________________________________
       From: "Dmitriy A Pyryakov" <DPyryakov@ekb.beeline.ru>
       To: "Michal Skrivanek" <michal.skrivanek@redhat.com>
       Cc: users@ovirt.org
       Sent: Thursday, September 20, 2012 1:34:46 PM
       Subject: Re: [Users] Fatal error during migration
Michal Skrivanek <michal.skrivanek@redhat.com> написано
       20.09.2012 16:23:31:
...
От: Michal Skrivanek <michal.skrivanek@redhat.com>
Кому: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru>
Копия: users@ovirt.org
Дата: 20.09.2012 16:24
Тема: Re: [Users] Fatal error during migration
On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:
...
Michal Skrivanek <michal.skrivanek@redhat.com> написано
       20.09.201216:13:16:
...
От: Michal Skrivanek <michal.skrivanek@redhat.com>
Кому: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru>
Копия: users@ovirt.org
Дата: 20.09.2012 16:13
Тема: Re: [Users] Fatal error during migration
On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:
> Michal Skrivanek <michal.skrivanek@redhat.com>
       написано 20.09.
201216:02:11:
> 
>> От: Michal Skrivanek <michal.skrivanek@redhat.com>
>> Кому: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru>
>> Копия: users@ovirt.org
>> Дата: 20.09.2012 16:02
>> Тема: Re: [Users] Fatal error during migration
>> 
>> Hi,
>> well, so what is the other side saying? Maybe some
       connectivity 
>> problems between those 2 hosts? firewall? 
>> 
>> Thanks,
>> michal
> 
> Yes, firewall is not configured properly by default.
       If I stop it,
migration done.
> Thanks.
The default is supposed to be:
# oVirt default firewall configuration. Automatically
       generated by 
vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# libvirt tls
-A INPUT -p tcp --dport 16514 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j
       ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j
       ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
       --reject-with
icmp-host-prohibited
COMMIT
my default is:
# cat /etc/sysconfig/iptables
# oVirt automatically generated firewall configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j
       ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
#
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
       --reject-
with icmp-host-prohibited
COMMIT
...
did you change it manually or is the default missing
anything?
default missing "libvirt tls" field.
was it an upgrade of some sort?
       No.
...
These are installed at node setup 
from ovirt-engine. Check the engine version and/or the 
IPTablesConfig in vdc_options table on engine
oVirt engine version: 3.1.0-2.fc17
engine=# select * from vdc_options where option_id=100;
       option_id | option_name | option_value | version
       -----------+----------------+-------------------------------------------------------------------------------------------+---------
       100 | IPTablesConfig | # oVirt default firewall configuration.
       Automatically generated by vdsm bootstrap script.+| general
       | | *filter +|
       | | :INPUT ACCEPT [0:0] +|
       | | :FORWARD ACCEPT [0:0] +|
       | | :OUTPUT ACCEPT [0:0] +|
       | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
       | | -A INPUT -p icmp -j ACCEPT +|
       | | -A INPUT -i lo -j ACCEPT +|
       | | # vdsm +|
       | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
       | | # libvirt tls +|
       | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
       | | # SSH +|
       | | -A INPUT -p tcp --dport 22 -j ACCEPT +|
       | | # guest consoles +|
       | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
       +|
       | | # migration +|
       | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j
       ACCEPT +|
       | | # snmp +|
       | | -A INPUT -p udp --dport 161 -j ACCEPT +|
       | | # Reject any other input traffic +|
       | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
       | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
       --reject-with icmp-host-prohibited+|
       | | COMMIT +|
       | | |
IPTablesConfig is right.
When I add my nodes to engine, I just approve it. I don't have
       an "Automatically configure host firewall" option.
(Added Mike Burns)
Right.
This is the diff between ovirt node and Fedora based node.
In oVirt node we expect the FW to have all relevant settings.
Mike, do we have these ports opened in the node? 
Was it changed?
Yes, the ports are open and no, it hasn't changed in a long time:
cat > /etc/sysconfig/iptables << \EOF
# oVirt automatically generated firewall configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
#
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
icmp-host-prohibited
COMMIT
EOF
...
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users