[Users] web admin portal not reachable after reboot
Gianluca Cecchi
gianluca.cecchi at gmail.com
Tue Jan 15 14:10:35 UTC 2013
On Tue, Jan 15, 2013 at 2:22 PM, Yaniv Kaul wrote:
> iptables?
engine was configured asking to set up / override iptables, so I thought it
had to be ok.
...
oVirt Engine will be installed using the following configuration:
=================================================================
override-httpd-config: yes
http-port: 80
https-port: 443
host-fqdn: f18engine.Xxxxt
auth-pass: ********
org-name: YYYYY
default-dc-type: ISCSI
db-remote-install: local
db-local-pass: ********
nfs-mp: /ISO
config-nfs: yes
override-iptables: yes
Proceed with the configuration listed above? (yes|no): yes
...
Configuring Firewall (iptables)... [ DONE ]
...
In engine setup log file:
...
2013-01-12 15:00:38::DEBUG::engine-setup::886::root:: configuring iptables
2013-01-12 15:00:38::DEBUG::engine-setup::917::root:: # Generated by
ovirt-engine installer
#filtering rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
#drop all rule
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
2013-01-12 15:00:38::DEBUG::common_utils::699::root:: successfully copied
file /etc/ovirt-engine/iptables.example to target destination
/etc/sysconfig/iptables
2013-01-12 15:00:38::DEBUG::common_utils::707::root:: setting file
/etc/sysconfig/iptables uid/gid ownership
2013-01-12 15:00:38::DEBUG::common_utils::710::root:: setting file
/etc/sysconfig/iptables mode to -1
2013-01-12 15:00:38::DEBUG::engine-setup::932::root:: Restarting the
iptables service
2013-01-12 15:00:38::DEBUG::common_utils::1208::root:: stopping iptables
2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action
iptables on service stop
2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command -->
'/sbin/service iptables stop'
2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output =
2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting
to /bin/systemctl stop iptables.service
2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0
2013-01-12 15:00:38::DEBUG::common_utils::1198::root:: starting iptables
2013-01-12 15:00:38::DEBUG::common_utils::1245::root:: executing action
iptables on service start
2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command -->
'/sbin/service iptables start'
2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output =
2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Redirecting
to /bin/systemctl start iptables.service
2013-01-12 15:00:38::DEBUG::common_utils::467::root:: retcode = 0
2013-01-12 15:00:38::DEBUG::setup_sequences::59::root:: running _startEngine
...
BTW: I have a similar problem with an all-in-one f18 + ovirt nightly setup
running as a VM
after engine-upgrade to 3.2.0-1.20130115.git2970f58
I'm not able to reach webadmin portal from the host but only if for example
I run firefox from inside the engine itself exporting DISPAY env var.
What would be the config expected for an f18 engine?
In my case:
1) engine standalone as physical server
It seems I have
firewalld enabled
iptables disabled
ip6tables disabled
ebtables ?
but setup should have enabled it from the optionschosen.... but I don't see
it in logfile, while I see
2013-01-12 15:00:38::DEBUG::engine-setup::1567::root:: using chkconfig to
enable engine to load on system startup.
2013-01-12 15:00:38::DEBUG::common_utils::427::root:: Executing command -->
'/sbin/chkconfig ovirt-engine on'
2013-01-12 15:00:38::DEBUG::common_utils::465::root:: output =
2013-01-12 15:00:38::DEBUG::common_utils::466::root:: stderr = Note:
Forwarding request to 'systemctl enable ovirt-engine.service'.
ln -s '/usr/lib/systemd/system/ovirt-engine.service'
'/etc/systemd/system/multi-user.target.wants/ovirt-engine.service'
So could it be a bug not enabling iptables during engine-setup???
At this moment my situation:
# systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Tue, 2013-01-15 13:38:40 CET; 1h 17min ago
Main PID: 469 (firewalld)
CGroup: name=systemd:/system/firewalld.service
└ 469 /usr/bin/python -Es /usr/sbin/firewalld --nofork
Jan 15 13:38:40 f18engine systemd[1]: Started firewalld - dynamic firewall
daemon.
# systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/iptables.service
# systemctl status ip6tables.service
ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/ip6tables.service
# systemctl status ebtables.service
ebtables.service - SYSV: Ethernet Bridge filtering tables
Loaded: loaded (/etc/rc.d/init.d/ebtables)
Active: inactive (dead)
CGroup: name=systemd:/system/ebtables.service
# systemctl show ebtables.service| grep onflict
Conflicts=shutdown.target
ConflictedBy=firewalld.service
so there is a problem between ebtables and firewalld (but perhaps this
service has to run only on hypervisor and not engine?)
2) engine configured as an all-in-one in a vm
[g.cecchi at f18aio ~]$ sudo systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/firewalld.service
[g.cecchi at f18aio ~]$ sudo systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Tue, 2013-01-15 14:42:46 CET; 18min ago
Process: 31480 ExecStop=/usr/libexec/iptables/iptables.init stop
(code=exited, status=0/SUCCESS)
Process: 31523 ExecStart=/usr/libexec/iptables/iptables.init start
(code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/iptables.service
Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Starting IPv4 firewall
with iptables...
Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: iptables:
Applying firewall rules: WARNING: The state match is ob...tead.
Jan 15 14:42:46 f18aio.localdomain.local iptables.init[31523]: [ OK ]
Jan 15 14:42:46 f18aio.localdomain.local systemd[1]: Started IPv4 firewall
with iptables.
[g.cecchi at f18aio ~]$ sudo systemctl status ip6tables.service
ip6tables.service - IPv6 firewall with ip6tables
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/ip6tables.service
[g.cecchi at f18aio ~]$ sudo systemctl status ebtables.service
ebtables.service - SYSV: Ethernet Bridge filtering tables
Loaded: loaded (/etc/rc.d/init.d/ebtables)
Active: inactive (dead)
CGroup: name=systemd:/system/ebtables.service
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130115/59481f71/attachment-0001.html>
More information about the Users
mailing list