[Users] Fatal error during migration
Mike Burns
mburns at redhat.com
Fri Sep 21 12:01:58 UTC 2012
On Fri, 2012-09-21 at 01:58 -0400, Michal Skrivanek wrote:
> Well,looks like 16514 is not open on node. I guess it should,tls migration is new in 3.1,isn't it?
>
I'm surprised this wasn't caught earlier. I've submitted a patch to add
the port to the default firewall [1].
You can run the following command to open the firewall port manually on
ovirt-node.
python -c 'from ovirtnode.ovirtfunctions import *; manage_firewall_port("16514","open","tcp")'
To make it work across reboots, do the following:
1. Press F2 on the TUI to get a shell
2. scp the attached patch file to /tmp on ovirt-node (you need to
initiate this from ovirt-node, not from your local machine)
3. on ovirt-node, run # mount -o remount,rw /
4. cd /usr/libexec
5. patch </tmp/0001*patch
6. persist /usr/libexec/ovirt-init-functions
7. Reboot
When the machine comes back up, you should see that port is open.
iptables -L
Mike
[1] http://gerrit.ovirt.org/8116
> On 20 Sep 2012, at 15:25, Mike Burns <mburns at redhat.com> wrote:
>
> > On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote:
> >>
> >> ______________________________________________________________________
> >> From: "Dmitriy A Pyryakov" <DPyryakov at ekb.beeline.ru>
> >> To: "Michal Skrivanek" <michal.skrivanek at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Thursday, September 20, 2012 1:34:46 PM
> >> Subject: Re: [Users] Fatal error during migration
> >>
> >>
> >>
> >> Michal Skrivanek <michal.skrivanek at redhat.com> написано
> >> 20.09.2012 16:23:31:
> >>
> >>> От: Michal Skrivanek <michal.skrivanek at redhat.com>
> >>> Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> >>> Копия: users at ovirt.org
> >>> Дата: 20.09.2012 16:24
> >>> Тема: Re: [Users] Fatal error during migration
> >>>
> >>>
> >>> On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:
> >>>
> >>>> Michal Skrivanek <michal.skrivanek at redhat.com> написано
> >> 20.09.201216:13:16:
> >>>>
> >>>>> От: Michal Skrivanek <michal.skrivanek at redhat.com>
> >>>>> Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> >>>>> Копия: users at ovirt.org
> >>>>> Дата: 20.09.2012 16:13
> >>>>> Тема: Re: [Users] Fatal error during migration
> >>>>>
> >>>>>
> >>>>> On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:
> >>>>>
> >>>>>> Michal Skrivanek <michal.skrivanek at redhat.com>
> >> написано 20.09.
> >>> 201216:02:11:
> >>>>>>
> >>>>>>> От: Michal Skrivanek <michal.skrivanek at redhat.com>
> >>>>>>> Кому: Dmitriy A Pyryakov <DPyryakov at ekb.beeline.ru>
> >>>>>>> Копия: users at ovirt.org
> >>>>>>> Дата: 20.09.2012 16:02
> >>>>>>> Тема: Re: [Users] Fatal error during migration
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>> well, so what is the other side saying? Maybe some
> >> connectivity
> >>>>>>> problems between those 2 hosts? firewall?
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> michal
> >>>>>>
> >>>>>> Yes, firewall is not configured properly by default.
> >> If I stop it,
> >>>>> migration done.
> >>>>>> Thanks.
> >>>>> The default is supposed to be:
> >>>>>
> >>>>> # oVirt default firewall configuration. Automatically
> >> generated by
> >>>>> vdsm bootstrap script.
> >>>>> *filter
> >>>>> :INPUT ACCEPT [0:0]
> >>>>> :FORWARD ACCEPT [0:0]
> >>>>> :OUTPUT ACCEPT [0:0]
> >>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>>> -A INPUT -p icmp -j ACCEPT
> >>>>> -A INPUT -i lo -j ACCEPT
> >>>>> # vdsm
> >>>>> -A INPUT -p tcp --dport 54321 -j ACCEPT
> >>>>> # libvirt tls
> >>>>> -A INPUT -p tcp --dport 16514 -j ACCEPT
> >>>>> # SSH
> >>>>> -A INPUT -p tcp --dport 22 -j ACCEPT
> >>>>> # guest consoles
> >>>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j
> >> ACCEPT
> >>>>> # migration
> >>>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j
> >> ACCEPT
> >>>>> # snmp
> >>>>> -A INPUT -p udp --dport 161 -j ACCEPT
> >>>>> # Reject any other input traffic
> >>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> >>>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> >> --reject-with
> >>>>> icmp-host-prohibited
> >>>>> COMMIT
> >>>>
> >>>> my default is:
> >>>>
> >>>> # cat /etc/sysconfig/iptables
> >>>> # oVirt automatically generated firewall configuration
> >>>> *filter
> >>>> :INPUT ACCEPT [0:0]
> >>>> :FORWARD ACCEPT [0:0]
> >>>> :OUTPUT ACCEPT [0:0]
> >>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>>> -A INPUT -p icmp -j ACCEPT
> >>>> -A INPUT -i lo -j ACCEPT
> >>>> #vdsm
> >>>> -A INPUT -p tcp --dport 54321 -j ACCEPT
> >>>> # SSH
> >>>> -A INPUT -p tcp --dport 22 -j ACCEPT
> >>>> # guest consoles
> >>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> >>>> # migration
> >>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j
> >> ACCEPT
> >>>> # snmp
> >>>> -A INPUT -p udp --dport 161 -j ACCEPT
> >>>> #
> >>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> >>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> >> --reject-
> >>> with icmp-host-prohibited
> >>>> COMMIT
> >>>>
> >>>>>
> >>>>> did you change it manually or is the default missing
> >> anything?
> >>>>
> >>>> default missing "libvirt tls" field.
> >>> was it an upgrade of some sort?
> >> No.
> >>
> >>> These are installed at node setup
> >>> from ovirt-engine. Check the engine version and/or the
> >>> IPTablesConfig in vdc_options table on engine
> >>
> >> oVirt engine version: 3.1.0-2.fc17
> >>
> >> engine=# select * from vdc_options where option_id=100;
> >> option_id | option_name | option_value | version
> >> -----------+----------------+-------------------------------------------------------------------------------------------+---------
> >> 100 | IPTablesConfig | # oVirt default firewall configuration.
> >> Automatically generated by vdsm bootstrap script.+| general
> >> | | *filter +|
> >> | | :INPUT ACCEPT [0:0] +|
> >> | | :FORWARD ACCEPT [0:0] +|
> >> | | :OUTPUT ACCEPT [0:0] +|
> >> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|
> >> | | -A INPUT -p icmp -j ACCEPT +|
> >> | | -A INPUT -i lo -j ACCEPT +|
> >> | | # vdsm +|
> >> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|
> >> | | # libvirt tls +|
> >> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|
> >> | | # SSH +|
> >> | | -A INPUT -p tcp --dport 22 -j ACCEPT +|
> >> | | # guest consoles +|
> >> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> >> +|
> >> | | # migration +|
> >> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j
> >> ACCEPT +|
> >> | | # snmp +|
> >> | | -A INPUT -p udp --dport 161 -j ACCEPT +|
> >> | | # Reject any other input traffic +|
> >> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|
> >> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT
> >> --reject-with icmp-host-prohibited+|
> >> | | COMMIT +|
> >> | | |
> >>
> >> IPTablesConfig is right.
> >>
> >> When I add my nodes to engine, I just approve it. I don't have
> >> an "Automatically configure host firewall" option.
> >>
> >>
> >>
> >> (Added Mike Burns)
> >> Right.
> >> This is the diff between ovirt node and Fedora based node.
> >> In oVirt node we expect the FW to have all relevant settings.
> >>
> >> Mike, do we have these ports opened in the node?
> >> Was it changed?
> >
> > Yes, the ports are open and no, it hasn't changed in a long time:
> >
> > cat > /etc/sysconfig/iptables << \EOF
> > # oVirt automatically generated firewall configuration
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > -A INPUT -p icmp -j ACCEPT
> > -A INPUT -i lo -j ACCEPT
> > #vdsm
> > -A INPUT -p tcp --dport 54321 -j ACCEPT
> > # SSH
> > -A INPUT -p tcp --dport 22 -j ACCEPT
> > # guest consoles
> > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
> > # migration
> > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
> > # snmp
> > -A INPUT -p udp --dport 161 -j ACCEPT
> > #
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
> > icmp-host-prohibited
> > COMMIT
> > EOF
> >
> >>
> >
> >
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-do-not-submit-tmp-workaround-for-missing-libvirt-tls.patch
Type: text/x-patch
Size: 947 bytes
Desc: not available
URL: <http://lists.ovirt.org/pipermail/users/attachments/20120921/36d05c32/attachment.bin>
More information about the Users
mailing list