On Fri, 2012-09-21 at 01:58 -0400, Michal Skrivanek wrote:
Well,looks like 16514 is not open on node. I guess it should,tls
migration is new in 3.1,isn't it?
I'm surprised this wasn't caught earlier. I've submitted a patch to add
the port to the default firewall [1].
You can run the following command to open the firewall port manually on
ovirt-node.
python -c 'from ovirtnode.ovirtfunctions import *;
manage_firewall_port("16514","open","tcp")'
To make it work across reboots, do the following:
1. Press F2 on the TUI to get a shell
2. scp the attached patch file to /tmp on ovirt-node (you need to
initiate this from ovirt-node, not from your local machine)
3. on ovirt-node, run # mount -o remount,rw /
4. cd /usr/libexec
5. patch </tmp/0001*patch
6. persist /usr/libexec/ovirt-init-functions
7. Reboot
When the machine comes back up, you should see that port is open.
iptables -L
Mike
[1]
http://gerrit.ovirt.org/8116
On 20 Sep 2012, at 15:25, Mike Burns <mburns(a)redhat.com>
wrote:
> On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote:
>>
>> ______________________________________________________________________
>> From: "Dmitriy A Pyryakov" <DPyryakov(a)ekb.beeline.ru>
>> To: "Michal Skrivanek" <michal.skrivanek(a)redhat.com>
>> Cc: users(a)ovirt.org
>> Sent: Thursday, September 20, 2012 1:34:46 PM
>> Subject: Re: [Users] Fatal error during migration
>>
>>
>>
>> Michal Skrivanek <michal.skrivanek(a)redhat.com> написано
>> 20.09.2012 16:23:31:
>>
>>> От: Michal Skrivanek <michal.skrivanek(a)redhat.com>
>>> Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru>
>>> Копия: users(a)ovirt.org
>>> Дата: 20.09.2012 16:24
>>> Тема: Re: [Users] Fatal error during migration
>>>
>>>
>>> On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:
>>>
>>>> Michal Skrivanek <michal.skrivanek(a)redhat.com> написано
>> 20.09.201216:13:16:
>>>>
>>>>> От: Michal Skrivanek <michal.skrivanek(a)redhat.com>
>>>>> Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru>
>>>>> Копия: users(a)ovirt.org
>>>>> Дата: 20.09.2012 16:13
>>>>> Тема: Re: [Users] Fatal error during migration
>>>>>
>>>>>
>>>>> On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:
>>>>>
>>>>>> Michal Skrivanek <michal.skrivanek(a)redhat.com>
>> написано 20.09.
>>> 201216:02:11:
>>>>>>
>>>>>>> От: Michal Skrivanek <michal.skrivanek(a)redhat.com>
>>>>>>> Кому: Dmitriy A Pyryakov <DPyryakov(a)ekb.beeline.ru>
>>>>>>> Копия: users(a)ovirt.org
>>>>>>> Дата: 20.09.2012 16:02
>>>>>>> Тема: Re: [Users] Fatal error during migration
>>>>>>>
>>>>>>> Hi,
>>>>>>> well, so what is the other side saying? Maybe some
>> connectivity
>>>>>>> problems between those 2 hosts? firewall?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> michal
>>>>>>
>>>>>> Yes, firewall is not configured properly by default.
>> If I stop it,
>>>>> migration done.
>>>>>> Thanks.
>>>>> The default is supposed to be:
>>>>>
>>>>> # oVirt default firewall configuration. Automatically
>> generated by
>>>>> vdsm bootstrap script.
>>>>> *filter
>>>>> :INPUT ACCEPT [0:0]
>>>>> :FORWARD ACCEPT [0:0]
>>>>> :OUTPUT ACCEPT [0:0]
>>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>>> -A INPUT -p icmp -j ACCEPT
>>>>> -A INPUT -i lo -j ACCEPT
>>>>> # vdsm
>>>>> -A INPUT -p tcp --dport 54321 -j ACCEPT
>>>>> # libvirt tls
>>>>> -A INPUT -p tcp --dport 16514 -j ACCEPT
>>>>> # SSH
>>>>> -A INPUT -p tcp --dport 22 -j ACCEPT
>>>>> # guest consoles
>>>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j
>> ACCEPT
>>>>> # migration
>>>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j
>> ACCEPT
>>>>> # snmp
>>>>> -A INPUT -p udp --dport 161 -j ACCEPT
>>>>> # Reject any other input traffic
>>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
>> --reject-with
>>>>> icmp-host-prohibited
>>>>> COMMIT
>>>>
>>>> my default is:
>>>>
>>>> # cat /etc/sysconfig/iptables
>>>> # oVirt automatically generated firewall configuration
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [0:0]
>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>>> -A INPUT -p icmp -j ACCEPT
>>>> -A INPUT -i lo -j ACCEPT
>>>> #vdsm
>>>> -A INPUT -p tcp --dport 54321 -j ACCEPT
>>>> # SSH
>>>> -A INPUT -p tcp --dport 22 -j ACCEPT
>>>> # guest consoles
>>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
>>>> # migration
>>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j
>> ACCEPT
>>>> # snmp
>>>> -A INPUT -p udp --dport 161 -j ACCEPT
>>>> #
>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
>> --reject-
>>> with icmp-host-prohibited
>>>> COMMIT
>>>>
>>>>>
>>>>> did you change it manually or is the default missing
>> anything?
>>>>
>>>> default missing "libvirt tls" field.
>>> was it an upgrade of some sort?
>> No.
>>
>>> These are installed at node setup
>>> from ovirt-engine. Check the engine version and/or the
>>> IPTablesConfig in vdc_options table on engine
>>
>> oVirt engine version: 3.1.0-2.fc17
>>
>> engine=# select * from vdc_options where option_id=100;
>> option_id | option_name | option_value | version
>>
-----------+----------------+-------------------------------------------------------------------------------------------+---------
>> 100 | IPTablesConfig | # oVirt default firewall configuration.
>> Automatically generated by vdsm bootstrap script.+| general
>> | | *filter +|
>> | | :INPUT ACCEPT [0:0] +|
>> | | :FORWARD ACCEPT [0:0] +|
>> | | :OUTPUT ACCEPT [0:0] +|
>> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
>> | | -A INPUT -p icmp -j ACCEPT +|
>> | | -A INPUT -i lo -j ACCEPT +|
>> | | # vdsm +|
>> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
>> | | # libvirt tls +|
>> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
>> | | # SSH +|
>> | | -A INPUT -p tcp --dport 22 -j ACCEPT +|
>> | | # guest consoles +|
>> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
>> +|
>> | | # migration +|
>> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j
>> ACCEPT +|
>> | | # snmp +|
>> | | -A INPUT -p udp --dport 161 -j ACCEPT +|
>> | | # Reject any other input traffic +|
>> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
>> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
>> --reject-with icmp-host-prohibited+|
>> | | COMMIT +|
>> | | |
>>
>> IPTablesConfig is right.
>>
>> When I add my nodes to engine, I just approve it. I don't have
>> an "Automatically configure host firewall" option.
>>
>>
>>
>> (Added Mike Burns)
>> Right.
>> This is the diff between ovirt node and Fedora based node.
>> In oVirt node we expect the FW to have all relevant settings.
>>
>> Mike, do we have these ports opened in the node?
>> Was it changed?
>
> Yes, the ports are open and no, it hasn't changed in a long time:
>
> cat > /etc/sysconfig/iptables << \EOF
> # oVirt automatically generated firewall configuration
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> #vdsm
> -A INPUT -p tcp --dport 54321 -j ACCEPT
> # SSH
> -A INPUT -p tcp --dport 22 -j ACCEPT
> # guest consoles
> -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> # migration
> -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
> # snmp
> -A INPUT -p udp --dport 161 -j ACCEPT
> #
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
> icmp-host-prohibited
> COMMIT
> EOF
>
>>
>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users