On Fri, 2012-09-21 at 01:58 -0400, Michal Skrivanek wrote: > Well,looks like 16514 is not open on node. I guess it should,tls migration is > new in 3.1,isn't it? >
I'm surprised this wasn't caught earlier. I've submitted a patch to add the port to the default firewall [1]. You can run the following command to open the firewall port manually on ovirt-node. python -c 'from ovirtnode.ovirtfunctions import *; manage_firewall_port("16514","open","tcp")' To make it work across reboots, do the following: 1. Press F2 on the TUI to get a shell 2. scp the attached patch file to /tmp on ovirt-node (you need to initiate this from ovirt-node, not from your local machine) 3. on ovirt-node, run # mount -o remount,rw / 4. cd /usr/libexec 5. patch </tmp/0001*patch 6. persist /usr/libexec/ovirt-init-functions 7. Reboot When the machine comes back up, you should see that port is open. iptables -L Mike [1] http://gerrit.ovirt.org/8116 > On 20 Sep 2012, at 15:25, Mike Burns <mbu...@redhat.com> wrote: > > > On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote: > >> > >> ______________________________________________________________________ > >> From: "Dmitriy A Pyryakov" <dpyrya...@ekb.beeline.ru> > >> To: "Michal Skrivanek" <michal.skriva...@redhat.com> > >> Cc: users@ovirt.org > >> Sent: Thursday, September 20, 2012 1:34:46 PM > >> Subject: Re: [Users] Fatal error during migration > >> > >> > >> > >> Michal Skrivanek <michal.skriva...@redhat.com> написано > >> 20.09.2012 16:23:31: > >> > >>> От: Michal Skrivanek <michal.skriva...@redhat.com> > >>> Кому: Dmitriy A Pyryakov <dpyrya...@ekb.beeline.ru> > >>> Копия: users@ovirt.org > >>> Дата: 20.09.2012 16:24 > >>> Тема: Re: [Users] Fatal error during migration > >>> > >>> > >>> On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote: > >>> > >>>> Michal Skrivanek <michal.skriva...@redhat.com> написано > >> 20.09.201216:13:16: > >>>> > >>>>> От: Michal Skrivanek <michal.skriva...@redhat.com> > >>>>> Кому: Dmitriy A Pyryakov <dpyrya...@ekb.beeline.ru> > >>>>> Копия: users@ovirt.org > >>>>> Дата: 20.09.2012 16:13 > >>>>> Тема: Re: [Users] Fatal error during migration > >>>>> > >>>>> > >>>>> On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote: > >>>>> > >>>>>> Michal Skrivanek <michal.skriva...@redhat.com> > >> написано 20.09. > >>> 201216:02:11: > >>>>>> > >>>>>>> От: Michal Skrivanek <michal.skriva...@redhat.com> > >>>>>>> Кому: Dmitriy A Pyryakov <dpyrya...@ekb.beeline.ru> > >>>>>>> Копия: users@ovirt.org > >>>>>>> Дата: 20.09.2012 16:02 > >>>>>>> Тема: Re: [Users] Fatal error during migration > >>>>>>> > >>>>>>> Hi, > >>>>>>> well, so what is the other side saying? Maybe some > >> connectivity > >>>>>>> problems between those 2 hosts? firewall? > >>>>>>> > >>>>>>> Thanks, > >>>>>>> michal > >>>>>> > >>>>>> Yes, firewall is not configured properly by default. > >> If I stop it, > >>>>> migration done. > >>>>>> Thanks. > >>>>> The default is supposed to be: > >>>>> > >>>>> # oVirt default firewall configuration. Automatically > >> generated by > >>>>> vdsm bootstrap script. > >>>>> *filter > >>>>> :INPUT ACCEPT [0:0] > >>>>> :FORWARD ACCEPT [0:0] > >>>>> :OUTPUT ACCEPT [0:0] > >>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >>>>> -A INPUT -p icmp -j ACCEPT > >>>>> -A INPUT -i lo -j ACCEPT > >>>>> # vdsm > >>>>> -A INPUT -p tcp --dport 54321 -j ACCEPT > >>>>> # libvirt tls > >>>>> -A INPUT -p tcp --dport 16514 -j ACCEPT > >>>>> # SSH > >>>>> -A INPUT -p tcp --dport 22 -j ACCEPT > >>>>> # guest consoles > >>>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j > >> ACCEPT > >>>>> # migration > >>>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j > >> ACCEPT > >>>>> # snmp > >>>>> -A INPUT -p udp --dport 161 -j ACCEPT > >>>>> # Reject any other input traffic > >>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited > >>>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > >> --reject-with > >>>>> icmp-host-prohibited > >>>>> COMMIT > >>>> > >>>> my default is: > >>>> > >>>> # cat /etc/sysconfig/iptables > >>>> # oVirt automatically generated firewall configuration > >>>> *filter > >>>> :INPUT ACCEPT [0:0] > >>>> :FORWARD ACCEPT [0:0] > >>>> :OUTPUT ACCEPT [0:0] > >>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > >>>> -A INPUT -p icmp -j ACCEPT > >>>> -A INPUT -i lo -j ACCEPT > >>>> #vdsm > >>>> -A INPUT -p tcp --dport 54321 -j ACCEPT > >>>> # SSH > >>>> -A INPUT -p tcp --dport 22 -j ACCEPT > >>>> # guest consoles > >>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > >>>> # migration > >>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j > >> ACCEPT > >>>> # snmp > >>>> -A INPUT -p udp --dport 161 -j ACCEPT > >>>> # > >>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited > >>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > >> --reject- > >>> with icmp-host-prohibited > >>>> COMMIT > >>>> > >>>>> > >>>>> did you change it manually or is the default missing > >> anything? > >>>> > >>>> default missing "libvirt tls" field. > >>> was it an upgrade of some sort? > >> No. > >> > >>> These are installed at node setup > >>> from ovirt-engine. Check the engine version and/or the > >>> IPTablesConfig in vdc_options table on engine > >> > >> oVirt engine version: 3.1.0-2.fc17 > >> > >> engine=# select * from vdc_options where option_id=100; > >> option_id | option_name | option_value | version > >> > >> -----------+----------------+-------------------------------------------------------------------------------------------+--------- > >> 100 | IPTablesConfig | # oVirt default firewall configuration. > >> Automatically generated by vdsm bootstrap script.+| general > >> | | *filter +| > >> | | :INPUT ACCEPT [0:0] +| > >> | | :FORWARD ACCEPT [0:0] +| > >> | | :OUTPUT ACCEPT [0:0] +| > >> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +| > >> | | -A INPUT -p icmp -j ACCEPT +| > >> | | -A INPUT -i lo -j ACCEPT +| > >> | | # vdsm +| > >> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +| > >> | | # libvirt tls +| > >> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +| > >> | | # SSH +| > >> | | -A INPUT -p tcp --dport 22 -j ACCEPT +| > >> | | # guest consoles +| > >> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > >> +| > >> | | # migration +| > >> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j > >> ACCEPT +| > >> | | # snmp +| > >> | | -A INPUT -p udp --dport 161 -j ACCEPT +| > >> | | # Reject any other input traffic +| > >> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +| > >> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > >> --reject-with icmp-host-prohibited+| > >> | | COMMIT +| > >> | | | > >> > >> IPTablesConfig is right. > >> > >> When I add my nodes to engine, I just approve it. I don't have > >> an "Automatically configure host firewall" option. > >> > >> > >> > >> (Added Mike Burns) > >> Right. > >> This is the diff between ovirt node and Fedora based node. > >> In oVirt node we expect the FW to have all relevant settings. > >> > >> Mike, do we have these ports opened in the node? > >> Was it changed? > > > > Yes, the ports are open and no, it hasn't changed in a long time: > > > > cat > /etc/sysconfig/iptables << \EOF > > # oVirt automatically generated firewall configuration > > *filter > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > -A INPUT -p icmp -j ACCEPT > > -A INPUT -i lo -j ACCEPT > > #vdsm > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > # SSH > > -A INPUT -p tcp --dport 22 -j ACCEPT > > # guest consoles > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > > # migration > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT > > # snmp > > -A INPUT -p udp --dport 161 -j ACCEPT > > # > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with > > icmp-host-prohibited > > COMMIT > > EOF > > > >> > > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users
>From 193f91f928dbe74de1aaa7d222dc64329886ca0f Mon Sep 17 00:00:00 2001 From: Mike Burns <mbu...@redhat.com> Date: Fri, 21 Sep 2012 07:37:25 -0400 Subject: [PATCH] do not submit--tmp workaround for missing libvirt tls port Change-Id: I2a542cfcef838ac899d008bdc67de072abaa8fb5 Signed-off-by: Mike Burns <mbu...@redhat.com> --- scripts/ovirt-init-functions.sh | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/scripts/ovirt-init-functions.sh b/scripts/ovirt-init-functions.sh index 434b50a..b815297 100644 --- a/scripts/ovirt-init-functions.sh +++ b/scripts/ovirt-init-functions.sh @@ -1220,6 +1220,9 @@ start_ovirt_post() { { log "Starting ovirt-post" + #tmp workaround for adding libvirt tls port + python -c 'from ovirtnode.ovirtfunctions import *; manage_firewall_port("16514","open","tcp")' + # Re-load keyboard settings load_keyboard_config 2> /dev/null -- 1.7.7.6
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users