Giuseppe, et. al
I gave up on my six-server hosted engine install, partly for this reason.
In addition to this problem, I found that I couldn't use a bridge of my own
naming. Then, trying to associate interfaces with bridges in the web
interface, my hand-tuned bridges were fatally clobbered. Like, the files I
wrote by hand in /etc/sysconfig/ifcfg-*, bridges, and interfaces (some with
VLANs) alike. And other things... like the Westmere vs. Ivy Bridge thing.
Anyway, I think what's happening to your install is that iptables on the
host is getting clobbered by the automatic install that happens when the
hosted-engine setup script finally contacts the engine the for the first
time. I'm not sure how to keep this from happening, but it's a place to
start. And I think it's the reason your setting False didn't help. By the
way, it took a two hour test for me to learn that even removing the
/etc/sysconfig/iptables file AND stopping AND disabling iptables via
systemctl on both host and engine did nothing to combat this behavior.
Back when I set up 3.0, I saw similar behavior. At that time though, the
iptables thing wasn't fatal. I observed here that this overwriting and
enabling/starting of iptables causes the very lest part of the
hosted-engine setup script to fail miserably. As a result of the engine
not being able to contact the host at the end of its install phase, the
H/A configuration is never done. This is my theory, anyway.
I think oVirt should leave the firewall _completely_ alone and just
document what ports should be open. I don't think we need that special
line at the bottom of /etc/sysconfig/iptables oVirt puts in there. I'll
stop rambling now. :-) I like oVirt, but getting so far into this that I
have a have two hour turnaround every time I want to test a minor tweak is
just too much. I think this will get better in time, I hope. At that
time, maybe I'll try again.
Here's what libvirt has to say about iptables vs. bridges:
The final step is to disable netfilter on the bridge:
# cat /etc/sysctl.conf EOF
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
EOF
# sysctl -p /etc/sysctl.conf
It is recommended to do this for performance and security reasons. See Fedora
bug #512206 https://bugzilla.redhat.com/512206. Alternatively you can
configure iptables to allow all traffic to be forwarded across the bridge:
# echo -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
/etc/sysconfig/iptables-forward-bridged
# lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
# service libvirtd reload
source:
http://wiki.libvirt.org/page/Networking#Creating_network_initscripts
You might be interested to know that you can pre-populate vm.conf.in in
/usr/share, before the install. Here was mine:
vmId=@VM_UUID@
memSize=@MEM_SIZE@
display=@CONSOLE_TYPE@
devices={index:2,iface:ide,address:{ controller:0, target:0,unit:0,
bus:1,
type:drive},specParams:{},readonly:true,deviceId:@CDROM_UUID@,path:@CDROM@,device:cdrom,shared:false,type:disk@BOOT_CDROM@}
devices={index:0,iface:virtio,format:raw,poolID:@SP_UUID@,volumeID:@VOL_UUID@,imageID:@IMG_UUID@,specParams:{},readonly:false,domainID:@SD_UUID@,optional:false,deviceId:@IMG_UUID@,address:{bus:0x00,
slot:0x06, domain:0x, type:pci,
function:0x0},device:disk,shared:exclusive,propagateErrors:off,type:disk@BOOT_DISK@}
devices={device:scsi,model:virtio-scsi,type:controller}
devices={device:console,specParams:{},type:console,deviceId:@CONSOLE_UUID@,alias:console0}
vmName=@NAME@
spiceSecureChannels=smain,sdisplay,sinputs,scursor,splayback,srecord,ssmartcard,susbredir
smp=@VCPUS@
cpuType=@CPU_TYPE@
emulatedMachine=@EMULATED_MACHINE@
devices={nicModel:pv,macAddr:00:16:3e:3d:78:10,linkActive:true,network:brbaseboard,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf10,address:{bus:0x01,
slot:0x01, domain:0x, type:pci,
function:0x0},device:bridge,type:interface}
devices={nicModel:pv,macAddr:@MAC_ADDR@,linkActive:true,network:@BRIDGE@,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:@NIC_UUID@,address:{bus:0x01,
slot:0x02, domain:0x, type:pci,
function:0x0},device:bridge,type:interface@BOOT_PXE@}
devices={nicModel:pv,macAddr:00:16:3e:3d:78:30,linkActive:true,network:brstorage,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf30,address:{bus:0x01,
slot:0x03, domain:0x, type:pci,
function:0x0},device:bridge,type:interface}
devices={nicModel:pv,macAddr:00:16:3e:3d:78:40,linkActive:true,network:brcompute,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf40,address:{bus:0x01,
slot:0x04, domain:0x, type:pci,
function:0x0},device:bridge,type:interface}