[Users] Fatal error during migration
Mike Burns
mburns at redhat.com
Thu Sep 20 13:25:52 UTC 2012
On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote:
>
> ______________________________________________________________________
> From: "Dmitriy A Pyryakov" <DPyryakov at ekb.beeline.ru>
> To: "Michal Skrivanek" <michal.skrivanek at redhat.com>
> Cc: users at ovirt.org
> Sent: Thursday, September 20, 2012 1:34:46 PM
> Subject: Re: [Users] Fatal error during migration
>
>
>
> Michal Skrivanek <michal.skrivanek at redhat.com> написано
> 20.09.2012 16:23:31:
>
> > От: Michal Skrivanek <michal.skrivanek at redhat.com>
> > Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> > Копия: users at ovirt.org
> > Дата: 20.09.2012 16:24
> > Тема: Re: [Users] Fatal error during migration
> >
> >
> > On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:
> >
> > > Michal Skrivanek <michal.skrivanek at redhat.com> написано
> 20.09.201216:13:16:
> > >
> > > > От: Michal Skrivanek <michal.skrivanek at redhat.com>
> > > > Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> > > > Копия: users at ovirt.org
> > > > Дата: 20.09.2012 16:13
> > > > Тема: Re: [Users] Fatal error during migration
> > > >
> > > >
> > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:
> > > >
> > > > > Michal Skrivanek <michal.skrivanek at redhat.com>
> написано 20.09.
> > 201216:02:11:
> > > > >
> > > > > > От: Michal Skrivanek <michal.skrivanek at redhat.com>
> > > > > > Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> > > > > > Копия: users at ovirt.org
> > > > > > Дата: 20.09.2012 16:02
> > > > > > Тема: Re: [Users] Fatal error during migration
> > > > > >
> > > > > > Hi,
> > > > > > well, so what is the other side saying? Maybe some
> connectivity
> > > > > > problems between those 2 hosts? firewall?
> > > > > >
> > > > > > Thanks,
> > > > > > michal
> > > > >
> > > > > Yes, firewall is not configured properly by default.
> If I stop it,
> > > > migration done.
> > > > > Thanks.
> > > > The default is supposed to be:
> > > >
> > > > # oVirt default firewall configuration. Automatically
> generated by
> > > > vdsm bootstrap script.
> > > > *filter
> > > > :INPUT ACCEPT [0:0]
> > > > :FORWARD ACCEPT [0:0]
> > > > :OUTPUT ACCEPT [0:0]
> > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > > -A INPUT -p icmp -j ACCEPT
> > > > -A INPUT -i lo -j ACCEPT
> > > > # vdsm
> > > > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > > > # libvirt tls
> > > > -A INPUT -p tcp --dport 16514 -j ACCEPT
> > > > # SSH
> > > > -A INPUT -p tcp --dport 22 -j ACCEPT
> > > > # guest consoles
> > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j
> ACCEPT
> > > > # migration
> > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j
> ACCEPT
> > > > # snmp
> > > > -A INPUT -p udp --dport 161 -j ACCEPT
> > > > # Reject any other input traffic
> > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> --reject-with
> > > > icmp-host-prohibited
> > > > COMMIT
> > >
> > > my default is:
> > >
> > > # cat /etc/sysconfig/iptables
> > > # oVirt automatically generated firewall configuration
> > > *filter
> > > :INPUT ACCEPT [0:0]
> > > :FORWARD ACCEPT [0:0]
> > > :OUTPUT ACCEPT [0:0]
> > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > > -A INPUT -p icmp -j ACCEPT
> > > -A INPUT -i lo -j ACCEPT
> > > #vdsm
> > > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > > # SSH
> > > -A INPUT -p tcp --dport 22 -j ACCEPT
> > > # guest consoles
> > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> > > # migration
> > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j
> ACCEPT
> > > # snmp
> > > -A INPUT -p udp --dport 161 -j ACCEPT
> > > #
> > > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> --reject-
> > with icmp-host-prohibited
> > > COMMIT
> > >
> > > >
> > > > did you change it manually or is the default missing
> anything?
> > >
> > > default missing "libvirt tls" field.
> > was it an upgrade of some sort?
> No.
>
> > These are installed at node setup
> > from ovirt-engine. Check the engine version and/or the
> > IPTablesConfig in vdc_options table on engine
>
> oVirt engine version: 3.1.0-2.fc17
>
> engine=# select * from vdc_options where option_id=100;
> option_id | option_name | option_value | version
> -----------+----------------+-------------------------------------------------------------------------------------------+---------
> 100 | IPTablesConfig | # oVirt default firewall configuration.
> Automatically generated by vdsm bootstrap script.+| general
> | | *filter +|
> | | :INPUT ACCEPT [0:0] +|
> | | :FORWARD ACCEPT [0:0] +|
> | | :OUTPUT ACCEPT [0:0] +|
> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
> | | -A INPUT -p icmp -j ACCEPT +|
> | | -A INPUT -i lo -j ACCEPT +|
> | | # vdsm +|
> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
> | | # libvirt tls +|
> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
> | | # SSH +|
> | | -A INPUT -p tcp --dport 22 -j ACCEPT +|
> | | # guest consoles +|
> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> +|
> | | # migration +|
> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j
> ACCEPT +|
> | | # snmp +|
> | | -A INPUT -p udp --dport 161 -j ACCEPT +|
> | | # Reject any other input traffic +|
> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> --reject-with icmp-host-prohibited+|
> | | COMMIT +|
> | | |
>
> IPTablesConfig is right.
>
> When I add my nodes to engine, I just approve it. I don't have
> an "Automatically configure host firewall" option.
>
>
>
> (Added Mike Burns)
> Right.
> This is the diff between ovirt node and Fedora based node.
> In oVirt node we expect the FW to have all relevant settings.
>
> Mike, do we have these ports opened in the node?
> Was it changed?
Yes, the ports are open and no, it hasn't changed in a long time:
cat > /etc/sysconfig/iptables << \EOF
# oVirt automatically generated firewall configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
#
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
icmp-host-prohibited
COMMIT
EOF
>
More information about the Users
mailing list