<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: times new roman,new york,times,serif; font-size: 12pt; color: #000000'><hr id="zwchr"><blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Dmitriy A Pyryakov" <DPyryakov@ekb.beeline.ru><br><b>To: </b>"Michal Skrivanek" <michal.skrivanek@redhat.com><br><b>Cc: </b>users@ovirt.org<br><b>Sent: </b>Thursday, September 20, 2012 1:34:46 PM<br><b>Subject: </b>Re: [Users] Fatal error during migration<br><br>
<p id="DWT6425"><tt><font size="2">Michal Skrivanek <michal.skrivanek@redhat.com> написано 20.09.2012 16:23:31:<br>
<br>
> От: Michal Skrivanek <michal.skrivanek@redhat.com></font></tt><br>
<tt><font size="2">> Кому: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru></font></tt><br>
<tt><font size="2">> Копия: users@ovirt.org</font></tt><br>
<tt><font size="2">> Дата: 20.09.2012 16:24</font></tt><br>
<tt><font size="2">> Тема: Re: [Users] Fatal error during migration</font></tt><br>
<tt><font size="2">> <br>
> <br>
> On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote:<br>
> <br>
> > Michal Skrivanek <michal.skrivanek@redhat.com> написано 20.09.201216:13:16:<br>
> > <br>
> > > От: Michal Skrivanek <michal.skrivanek@redhat.com><br>
> > > Кому: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru><br>
> > > Копия: users@ovirt.org<br>
> > > Дата: 20.09.2012 16:13<br>
> > > Тема: Re: [Users] Fatal error during migration<br>
> > > <br>
> > > <br>
> > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote:<br>
> > > <br>
> > > > Michal Skrivanek <michal.skrivanek@redhat.com> написано 20.09.<br>
> 201216:02:11:<br>
> > > > <br>
> > > > > От: Michal Skrivanek <michal.skrivanek@redhat.com><br>
> > > > > Кому: Dmitriy A Pyryakov <DPyryakov@ekb.beeline.ru><br>
> > > > > Копия: users@ovirt.org<br>
> > > > > Дата: 20.09.2012 16:02<br>
> > > > > Тема: Re: [Users] Fatal error during migration<br>
> > > > > <br>
> > > > > Hi,<br>
> > > > > well, so what is the other side saying? Maybe some connectivity <br>
> > > > > problems between those 2 hosts? firewall? <br>
> > > > > <br>
> > > > > Thanks,<br>
> > > > > michal<br>
> > > > <br>
> > > > Yes, firewall is not configured properly by default. If I stop it,<br>
> > > migration done.<br>
> > > > Thanks.<br>
> > > The default is supposed to be:<br>
> > > <br>
> > > # oVirt default firewall configuration. Automatically generated by <br>
> > > vdsm bootstrap script.<br>
> > > *filter<br>
> > > :INPUT ACCEPT [0:0]<br>
> > > :FORWARD ACCEPT [0:0]<br>
> > > :OUTPUT ACCEPT [0:0]<br>
> > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
> > > -A INPUT -p icmp -j ACCEPT<br>
> > > -A INPUT -i lo -j ACCEPT<br>
> > > # vdsm<br>
> > > -A INPUT -p tcp --dport 54321 -j ACCEPT<br>
> > > # libvirt tls<br>
> > > -A INPUT -p tcp --dport 16514 -j ACCEPT<br>
> > > # SSH<br>
> > > -A INPUT -p tcp --dport 22 -j ACCEPT<br>
> > > # guest consoles<br>
> > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT<br>
> > > # migration<br>
> > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT<br>
> > > # snmp<br>
> > > -A INPUT -p udp --dport 161 -j ACCEPT<br>
> > > # Reject any other input traffic<br>
> > > -A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
> > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with<br>
> > > icmp-host-prohibited<br>
> > > COMMIT<br>
> > <br>
> > my default is:<br>
> > <br>
> > # cat /etc/sysconfig/iptables<br>
> > # oVirt automatically generated firewall configuration<br>
> > *filter<br>
> > :INPUT ACCEPT [0:0]<br>
> > :FORWARD ACCEPT [0:0]<br>
> > :OUTPUT ACCEPT [0:0]<br>
> > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
> > -A INPUT -p icmp -j ACCEPT<br>
> > -A INPUT -i lo -j ACCEPT<br>
> > #vdsm<br>
> > -A INPUT -p tcp --dport 54321 -j ACCEPT<br>
> > # SSH<br>
> > -A INPUT -p tcp --dport 22 -j ACCEPT<br>
> > # guest consoles<br>
> > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT<br>
> > # migration<br>
> > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT<br>
> > # snmp<br>
> > -A INPUT -p udp --dport 161 -j ACCEPT<br>
> > #<br>
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited<br>
> > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-<br>
> with icmp-host-prohibited<br>
> > COMMIT<br>
> > <br>
> > > <br>
> > > did you change it manually or is the default missing anything?<br>
> > <br>
> > default missing "libvirt tls" field.<br>
> was it an upgrade of some sort?</font></tt><br>
<tt><font size="2">No.</font></tt><br>
<br>
<tt><font size="2">> These are installed at node setup <br>
> from ovirt-engine. Check the engine version and/or the <br>
> IPTablesConfig in vdc_options table on engine<br>
</font></tt><br>
<tt><font size="2">oVirt engine version: 3.1.0-2.fc17</font></tt><br>
<br>
<tt><font size="2">engine=# select * from vdc_options where option_id=100;</font></tt><br>
<tt><font size="2"> option_id | option_name | option_value | version</font></tt><br>
<tt><font size="2">-----------+----------------+-------------------------------------------------------------------------------------------+---------</font></tt><br>
<tt><font size="2"> 100 | IPTablesConfig | # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.+| general</font></tt><br>
<tt><font size="2"> | | *filter +|</font></tt><br>
<tt><font size="2"> | | :INPUT ACCEPT [0:0] +|</font></tt><br>
<tt><font size="2"> | | :FORWARD ACCEPT [0:0] +|</font></tt><br>
<tt><font size="2"> | | :OUTPUT ACCEPT [0:0] +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p icmp -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -i lo -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # vdsm +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # libvirt tls +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # SSH +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p tcp --dport 22 -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # guest consoles +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # migration +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # snmp +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -p udp --dport 161 -j ACCEPT +|</font></tt><br>
<tt><font size="2"> | | # Reject any other input traffic +|</font></tt><br>
<tt><font size="2"> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +|</font></tt><br>
<tt><font size="2"> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited+|</font></tt><br>
<tt><font size="2"> | | COMMIT +|</font></tt><br>
<tt><font size="2"> | | |</font></tt><br>
<br>
<tt><font size="2">IPTablesConfig is right.</font></tt><br>
<br>
<tt><font size="2">When I add my nodes to engine, I just approve it. I don't have an "Automatically configure host firewall" option.</font></tt><br>
<tt><font size="2"></font></tt><br></p></blockquote>(Added Mike Burns)<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px; color: rgb(0, 0, 0); font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><p></p></blockquote>Right.<br>This is the diff between ovirt node and Fedora based node.<br>In oVirt node we expect the FW to have all relevant settings.<br><br>Mike, do we have these ports opened in the node? <br>Was it changed?<br></div></body></html>