[Users] iptables settings/scripts ovirt 3.3
Hi, we have an test environment with ovirt 3.3 installed on various hardware nodes. The management node is installed on an centos 6.4 x64 minimal. The issue we are running into is, that some ovirt component keeps resetting the iptables firewall configuration, denying access to ports 80 and 443, which results in the web interface being not accessible. We do know that the engine-setup initially configures the firewall, but through which scripts does iptables get configured? Are there some database entries for this? If you need any logfiles for this, please let me know. Currently we have disabled iptables, as it's just an test environment. We read about some "vdsm bootstrap script" (e.g. BZ 893680), may this be related? However we didn't find out where this scripts resides. Also vvyazmin@redhat.com posted in this BZ: "not a bug". I don't see why you shouldn't be able to ping the hypervisor in the management lan? this is useful for monitoring and network debugging. ICMP is no danger at all. Kind regards Sven Kieske
Are you referring to /etc/sysconfig/iptables ? That's where the engine setup configures iptables, when I provision my nodes I select "Don't configure firewall" and let puppet manage my iptables rules for other reasons.. not sure if that was what you're asking On Tue, Oct 1, 2013 at 11:16 PM, Sven Kieske <S.Kieske@mittwald.de> wrote:
Hi,
we have an test environment with ovirt 3.3 installed on various hardware nodes.
The management node is installed on an centos 6.4 x64 minimal.
The issue we are running into is, that some ovirt component keeps resetting the iptables firewall configuration, denying access to ports 80 and 443, which results in the web interface being not accessible.
We do know that the engine-setup initially configures the firewall, but through which scripts does iptables get configured?
Are there some database entries for this?
If you need any logfiles for this, please let me know.
Currently we have disabled iptables, as it's just an test environment.
We read about some "vdsm bootstrap script" (e.g. BZ 893680), may this be related?
However we didn't find out where this scripts resides.
Also vvyazmin@redhat.com posted in this BZ: "not a bug".
I don't see why you shouldn't be able to ping the hypervisor in the management lan? this is useful for monitoring and network debugging.
ICMP is no danger at all.
Kind regards
Sven Kieske _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Yeah, we added our own rules with system-config-firewall-tui but somehow ovirt-engine seems to override these custom set values after some time, we couldn't find out until now what keeps changing the iptables, there seems to be some kind of automatic script called "vdsm bootstrap script" which does configure the firewall, but we are not sure this is the reason why the iptables entries for ports 80 and 443 keep vanishing. So I'm asking for information what components of ovirt are capable of changing iptables and in which way do these components do this? Are these components started automatically in any way? I couldn't find anything in the docs related to this, even not in the RedHat docs regarding RHEV. Kind Regards Sven On 01/10/13 16:36, Andrew Lau wrote:
Are you referring to /etc/sysconfig/iptables ? That's where the engine setup configures iptables, when I provision my nodes I select "Don't configure firewall" and let puppet manage my iptables rules for other reasons.. not sure if that was what you're asking
On Tue, 1 Oct 2013, Sven Kieske wrote:
We read about some "vdsm bootstrap script" (e.g. BZ 893680), may this be related?
SvenKieske appeared in the OFTC IRC channel #ovirt with this issue, and we discussed it some more 11:41 < SvenKieske> meaning you can't ping compute nodes, this is in the default install 11:41 < orc_orc> SvenKieske: * nod * that effect would occur with the physdev rule, I think 11:41 < SvenKieske> and I think this default iptables rule is just plain useless :) 11:42 < SvenKieske> and prevents proper network debugging, as we are having some issues with network related to newest ovirt nodes 11:42 < orc_orc> SvenKieske: assumedly you are following a guide. can you point out that URL and the step at which the problem is first noticed and he pointed to the wiki outline at: http://www.ovirt.org/Quick_Start_Guide#Install_oVirt_Node 11:43 < orc_orc> but from a policy POV, it may make sense that a node is not reachible until it has had time to become hardened .. and I also pointed out an example of an ICMP fragmantation attack and its remdiation in the Red Hat bugzilla
I don't see why you shouldn't be able to ping the hypervisor in the management lan? this is useful for monitoring and network debugging.
ICMP is no danger at all.
and in IRC he there stated 11:45 < SvenKieske> I'm not sure you can harden this node any further, as it resides on a read only file system, beside that, I can not think of any attack vector via icmp on the compute node 11:46 < orc_orc> SvenKieske: there are some ICMP attacks, particularly on ipv6 stacks, which can cause machines to fall over and die 11:46 < orc_orc> I reported one a while back 11:47 < orc_orc> the packet reassembly code had an unsuspected re-construction method with a problem in it and at that point he concluded that perhaps the ICMP block limitation had policy reasons behind it 11:49 < SvenKieske> Well then that's fine with me, but maybe the node devs should more focus on reliable network configuration and then harden it for security and not the other way around, it was just a small nuisance, if network setup in 3.3 would work ootb I'd maybe never noticed ping doesn't work ootb to which I can only respond: 11:49 < orc_orc> SvenKieske: sounds like you are saying that you need to file an RFE as to debugging tools extensions or amend the setup documentation I had a private inquiry about KVM hardening and so had been looking at the physdev iptables rules recently, and on a VM for which I am responsible an incident just last weekend 11:50 < orc_orc> SvenKieske: I had a person at my office just today, who was the victim of a TOR attack on a VM 11:50 < orc_orc> so VM's _do_ get scanned for and attacked ... in part we mitigated the attack via a temporary iptables rule on the KVM based hypervisor ... and he closed that he may file something tomorrow. 11:50 < SvenKieske> yeah, might be the way to go, but my workday is over now, so maybe tomorrow :) 11:50 < orc_orc> SvenKieske * nod * don't forget ;) 11:51 < SvenKieske> I'm all in for more computer security :) 11:51 < SvenKieske> see you! 11:51 * orc_orc waves I've been working through the setup documentation as well since the 3.3 update, and have a list of questions as to the wiki materials, as of course bit rot happens in wiki's (heck, in _any_ documentation) as new releases are issued -- Russ herrold
Kind regards
Sven Kieske _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- -- end ================================== .-- -... ---.. ... -.- -.-- Copyright (C) 2013 R P Herrold herrold@owlriver.com My words are not deathless prose, but they are mine.
Hi, thanks for your answer on list, Russ. But I still don't know which mechanism(s?) do(es) change firewall settings on the oVirt Management Node? Kind regards Sven
Hi, ----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "oVirt Users ML" <users@ovirt.org> Sent: Wednesday, October 2, 2013 9:58:43 AM Subject: Re: [Users] iptables settings/scripts ovirt 3.3
Hi,
thanks for your answer on list, Russ. But I still don't know which mechanism(s?) do(es) change firewall settings on the oVirt Management Node?
Do you have on the management node also VDSM? The allinone plugin? Is that intended? You need it if you want to run VMs on it. VDSM manages networking on nodes (hypervisors), which includes the management node if you have chosen so during setup. Regards, -- Didi
Hi, no, this is _no_ all in one installation, as was clearly stated in my first messsage. I do not try to run VMs on the management node. Maybe I should rearrange my question: What is the recommended way of adding additional iptables rules on the management node? We need to make sure our additional rules do not get overwritten by ovirt. Can you just append rules to /etc/sysconfig/iptables or does this file get overwritten under any circumstances from this "vdsm bootstrap script" or any other ovirt related component? Thanks Sven On 02/10/13 09:14, Yedidyah Bar David wrote:
Hi,
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "oVirt Users ML" <users@ovirt.org> Sent: Wednesday, October 2, 2013 9:58:43 AM Subject: Re: [Users] iptables settings/scripts ovirt 3.3
Hi,
thanks for your answer on list, Russ. But I still don't know which mechanism(s?) do(es) change firewall settings on the oVirt Management Node?
Do you have on the management node also VDSM? The allinone plugin? Is that intended? You need it if you want to run VMs on it. VDSM manages networking on nodes (hypervisors), which includes the management node if you have chosen so during setup.
Regards,
From what I've noticed /etc/sysconfig/iptables is only touched by ovirt when it does the initial install or upgrade. My iptables rules have been happily running for months..
ICMP returning an error/blocked message believe it's the last line in the iptables config file which ovirt configures in the initial install. On Wed, Oct 2, 2013 at 5:40 PM, Sven Kieske <S.Kieske@mittwald.de> wrote:
Hi,
no, this is _no_ all in one installation, as was clearly stated in my first messsage. I do not try to run VMs on the management node.
Maybe I should rearrange my question:
What is the recommended way of adding additional iptables rules on the management node? We need to make sure our additional rules do not get overwritten by ovirt.
Can you just append rules to /etc/sysconfig/iptables or does this file get overwritten under any circumstances from this "vdsm bootstrap script" or any other ovirt related component?
Thanks
Sven
On 02/10/13 09:14, Yedidyah Bar David wrote:
Hi,
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "oVirt Users ML" <users@ovirt.org> Sent: Wednesday, October 2, 2013 9:58:43 AM Subject: Re: [Users] iptables settings/scripts ovirt 3.3
Hi,
thanks for your answer on list, Russ. But I still don't know which mechanism(s?) do(es) change firewall settings on the oVirt Management Node?
Do you have on the management node also VDSM? The allinone plugin? Is that intended? You need it if you want to run VMs on it. VDSM manages networking on nodes (hypervisors), which includes the management node if you have chosen so during setup.
Regards,
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
Hi,
Hi Sven,
no, this is _no_ all in one installation, as was clearly stated in my first messsage. I do not try to run VMs on the management node.
Maybe I should rearrange my question:
What is the recommended way of adding additional iptables rules on the management node? We need to make sure our additional rules do not get overwritten by ovirt.
You stated initially that: "The issue we are running into is, that some ovirt component keeps resetting the iptables firewall configuration" How do you know it's oVirt's fault?
From what I know, the only this in oVirt that touches the firewall rules on the management node is the installation script which you run initially.
Can you just append rules to /etc/sysconfig/iptables or does this file get overwritten under any circumstances from this "vdsm bootstrap script" or any other ovirt related component?
The bootstrap is happening on a host that you add to the system, it doesn't touch the firewall on the management node at all. Regards, Mike
Thanks
Sven
On 02/10/13 09:14, Yedidyah Bar David wrote:
Hi,
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "oVirt Users ML" <users@ovirt.org> Sent: Wednesday, October 2, 2013 9:58:43 AM Subject: Re: [Users] iptables settings/scripts ovirt 3.3
Hi,
thanks for your answer on list, Russ. But I still don't know which mechanism(s?) do(es) change firewall settings on the oVirt Management Node?
Do you have on the management node also VDSM? The allinone plugin? Is that intended? You need it if you want to run VMs on it. VDSM manages networking on nodes (hypervisors), which includes the management node if you have chosen so during setup.
Regards,
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, ----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Yedidyah Bar David" <didi@redhat.com> Cc: "oVirt Users ML" <users@ovirt.org> Sent: Wednesday, October 2, 2013 10:40:39 AM Subject: Re: [Users] iptables settings/scripts ovirt 3.3
Hi,
no, this is _no_ all in one installation, as was clearly stated in my first messsage.
Sorry, could not understand that from your message. Can you please provide the setup log? It's in /var/log/ovirt-engine/setup.
I do not try to run VMs on the management node.
Maybe I should rearrange my question:
What is the recommended way of adding additional iptables rules on the management node? We need to make sure our additional rules do not get overwritten by ovirt.
On the management node, iptables rules are changed only during setup, if you choose so.
Can you just append rules to /etc/sysconfig/iptables or does this file get overwritten under any circumstances from this "vdsm bootstrap script" or any other ovirt related component?
vdsm-bootstrap was deprecated in 3.2 and replaced with ovirt-host-deploy. Both of them affect hypervisors, not the engine host. -- Didi
participants (5)
-
Andrew Lau -
Mike Kolesnik -
R P Herrold -
Sven Kieske -
Yedidyah Bar David