On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote: > > ______________________________________________________________________ > From: "Dmitriy A Pyryakov" <[email protected]> > To: "Michal Skrivanek" <[email protected]> > Cc: [email protected] > Sent: Thursday, September 20, 2012 1:34:46 PM > Subject: Re: [Users] Fatal error during migration > > > > Michal Skrivanek <[email protected]> написано > 20.09.2012 16:23:31: > > > От: Michal Skrivanek <[email protected]> > > Кому: Dmitriy A Pyryakov <[email protected]> > > Копия: [email protected] > > Дата: 20.09.2012 16:24 > > Тема: Re: [Users] Fatal error during migration > > > > > > On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote: > > > > > Michal Skrivanek <[email protected]> написано > 20.09.201216:13:16: > > > > > > > От: Michal Skrivanek <[email protected]> > > > > Кому: Dmitriy A Pyryakov <[email protected]> > > > > Копия: [email protected] > > > > Дата: 20.09.2012 16:13 > > > > Тема: Re: [Users] Fatal error during migration > > > > > > > > > > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote: > > > > > > > > > Michal Skrivanek <[email protected]> > написано 20.09. > > 201216:02:11: > > > > > > > > > > > От: Michal Skrivanek <[email protected]> > > > > > > Кому: Dmitriy A Pyryakov <[email protected]> > > > > > > Копия: [email protected] > > > > > > Дата: 20.09.2012 16:02 > > > > > > Тема: Re: [Users] Fatal error during migration > > > > > > > > > > > > Hi, > > > > > > well, so what is the other side saying? Maybe some > connectivity > > > > > > problems between those 2 hosts? firewall? > > > > > > > > > > > > Thanks, > > > > > > michal > > > > > > > > > > Yes, firewall is not configured properly by default. > If I stop it, > > > > migration done. > > > > > Thanks. > > > > The default is supposed to be: > > > > > > > > # oVirt default firewall configuration. Automatically > generated by > > > > vdsm bootstrap script. > > > > *filter > > > > :INPUT ACCEPT [0:0] > > > > :FORWARD ACCEPT [0:0] > > > > :OUTPUT ACCEPT [0:0] > > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > -A INPUT -p icmp -j ACCEPT > > > > -A INPUT -i lo -j ACCEPT > > > > # vdsm > > > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > > > # libvirt tls > > > > -A INPUT -p tcp --dport 16514 -j ACCEPT > > > > # SSH > > > > -A INPUT -p tcp --dport 22 -j ACCEPT > > > > # guest consoles > > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j > ACCEPT > > > > # migration > > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j > ACCEPT > > > > # snmp > > > > -A INPUT -p udp --dport 161 -j ACCEPT > > > > # Reject any other input traffic > > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > --reject-with > > > > icmp-host-prohibited > > > > COMMIT > > > > > > my default is: > > > > > > # cat /etc/sysconfig/iptables > > > # oVirt automatically generated firewall configuration > > > *filter > > > :INPUT ACCEPT [0:0] > > > :FORWARD ACCEPT [0:0] > > > :OUTPUT ACCEPT [0:0] > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > -A INPUT -p icmp -j ACCEPT > > > -A INPUT -i lo -j ACCEPT > > > #vdsm > > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > > # SSH > > > -A INPUT -p tcp --dport 22 -j ACCEPT > > > # guest consoles > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > > > # migration > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j > ACCEPT > > > # snmp > > > -A INPUT -p udp --dport 161 -j ACCEPT > > > # > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > --reject- > > with icmp-host-prohibited > > > COMMIT > > > > > > > > > > > did you change it manually or is the default missing > anything? > > > > > > default missing "libvirt tls" field. > > was it an upgrade of some sort? > No. > > > These are installed at node setup > > from ovirt-engine. Check the engine version and/or the > > IPTablesConfig in vdc_options table on engine > > oVirt engine version: 3.1.0-2.fc17 > > engine=# select * from vdc_options where option_id=100; > option_id | option_name | option_value | version > > -----------+----------------+-------------------------------------------------------------------------------------------+--------- > 100 | IPTablesConfig | # oVirt default firewall configuration. > Automatically generated by vdsm bootstrap script.+| general > | | *filter +| > | | :INPUT ACCEPT [0:0] +| > | | :FORWARD ACCEPT [0:0] +| > | | :OUTPUT ACCEPT [0:0] +| > | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +| > | | -A INPUT -p icmp -j ACCEPT +| > | | -A INPUT -i lo -j ACCEPT +| > | | # vdsm +| > | | -A INPUT -p tcp --dport 54321 -j ACCEPT +| > | | # libvirt tls +| > | | -A INPUT -p tcp --dport 16514 -j ACCEPT +| > | | # SSH +| > | | -A INPUT -p tcp --dport 22 -j ACCEPT +| > | | # guest consoles +| > | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > +| > | | # migration +| > | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j > ACCEPT +| > | | # snmp +| > | | -A INPUT -p udp --dport 161 -j ACCEPT +| > | | # Reject any other input traffic +| > | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +| > | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > --reject-with icmp-host-prohibited+| > | | COMMIT +| > | | | > > IPTablesConfig is right. > > When I add my nodes to engine, I just approve it. I don't have > an "Automatically configure host firewall" option. > > > > (Added Mike Burns) > Right. > This is the diff between ovirt node and Fedora based node. > In oVirt node we expect the FW to have all relevant settings. > > Mike, do we have these ports opened in the node? > Was it changed?
Yes, the ports are open and no, it hasn't changed in a long time: cat > /etc/sysconfig/iptables << \EOF # oVirt automatically generated firewall configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT #vdsm -A INPUT -p tcp --dport 54321 -j ACCEPT # SSH -A INPUT -p tcp --dport 22 -j ACCEPT # guest consoles -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT # migration -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT # snmp -A INPUT -p udp --dport 161 -j ACCEPT # -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited COMMIT EOF > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
