----- Original Message ----- > From: "Dmitriy A Pyryakov" <[email protected]> > To: "Michal Skrivanek" <[email protected]> > Cc: [email protected] > Sent: Thursday, September 20, 2012 1:34:46 PM > Subject: Re: [Users] Fatal error during migration
> Michal Skrivanek <[email protected]> написано 20.09.2012 > 16:23:31: > > От: Michal Skrivanek <[email protected]> > > Кому: Dmitriy A Pyryakov <[email protected]> > > Копия: [email protected] > > Дата: 20.09.2012 16:24 > > Тема: Re: [Users] Fatal error during migration > > > > > > On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote: > > > > > Michal Skrivanek <[email protected]> написано > > > 20.09.201216:13:16: > > > > > > > От: Michal Skrivanek <[email protected]> > > > > Кому: Dmitriy A Pyryakov <[email protected]> > > > > Копия: [email protected] > > > > Дата: 20.09.2012 16:13 > > > > Тема: Re: [Users] Fatal error during migration > > > > > > > > > > > > On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote: > > > > > > > > > Michal Skrivanek <[email protected]> написано > > > > > 20.09. > > 201216:02:11: > > > > > > > > > > > От: Michal Skrivanek <[email protected]> > > > > > > Кому: Dmitriy A Pyryakov <[email protected]> > > > > > > Копия: [email protected] > > > > > > Дата: 20.09.2012 16:02 > > > > > > Тема: Re: [Users] Fatal error during migration > > > > > > > > > > > > Hi, > > > > > > well, so what is the other side saying? Maybe some > > > > > > connectivity > > > > > > problems between those 2 hosts? firewall? > > > > > > > > > > > > Thanks, > > > > > > michal > > > > > > > > > > Yes, firewall is not configured properly by default. If I > > > > > stop it, > > > > migration done. > > > > > Thanks. > > > > The default is supposed to be: > > > > > > > > # oVirt default firewall configuration. Automatically generated > > > > by > > > > vdsm bootstrap script. > > > > *filter > > > > :INPUT ACCEPT [0:0] > > > > :FORWARD ACCEPT [0:0] > > > > :OUTPUT ACCEPT [0:0] > > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > -A INPUT -p icmp -j ACCEPT > > > > -A INPUT -i lo -j ACCEPT > > > > # vdsm > > > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > > > # libvirt tls > > > > -A INPUT -p tcp --dport 16514 -j ACCEPT > > > > # SSH > > > > -A INPUT -p tcp --dport 22 -j ACCEPT > > > > # guest consoles > > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > > > > # migration > > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT > > > > # snmp > > > > -A INPUT -p udp --dport 161 -j ACCEPT > > > > # Reject any other input traffic > > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > > > > --reject-with > > > > icmp-host-prohibited > > > > COMMIT > > > > > > my default is: > > > > > > # cat /etc/sysconfig/iptables > > > # oVirt automatically generated firewall configuration > > > *filter > > > :INPUT ACCEPT [0:0] > > > :FORWARD ACCEPT [0:0] > > > :OUTPUT ACCEPT [0:0] > > > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > > -A INPUT -p icmp -j ACCEPT > > > -A INPUT -i lo -j ACCEPT > > > #vdsm > > > -A INPUT -p tcp --dport 54321 -j ACCEPT > > > # SSH > > > -A INPUT -p tcp --dport 22 -j ACCEPT > > > # guest consoles > > > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > > > # migration > > > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT > > > # snmp > > > -A INPUT -p udp --dport 161 -j ACCEPT > > > # > > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject- > > with icmp-host-prohibited > > > COMMIT > > > > > > > > > > > did you change it manually or is the default missing anything? > > > > > > default missing "libvirt tls" field. > > was it an upgrade of some sort? > No. > > These are installed at node setup > > from ovirt-engine. Check the engine version and/or the > > IPTablesConfig in vdc_options table on engine > oVirt engine version: 3.1.0-2.fc17 > engine=# select * from vdc_options where option_id=100; > option_id | option_name | option_value | version > -----------+----------------+-------------------------------------------------------------------------------------------+--------- > 100 | IPTablesConfig | # oVirt default firewall configuration. > Automatically generated by vdsm bootstrap script.+| general > | | *filter +| > | | :INPUT ACCEPT [0:0] +| > | | :FORWARD ACCEPT [0:0] +| > | | :OUTPUT ACCEPT [0:0] +| > | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +| > | | -A INPUT -p icmp -j ACCEPT +| > | | -A INPUT -i lo -j ACCEPT +| > | | # vdsm +| > | | -A INPUT -p tcp --dport 54321 -j ACCEPT +| > | | # libvirt tls +| > | | -A INPUT -p tcp --dport 16514 -j ACCEPT +| > | | # SSH +| > | | -A INPUT -p tcp --dport 22 -j ACCEPT +| > | | # guest consoles +| > | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +| > | | # migration +| > | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +| > | | # snmp +| > | | -A INPUT -p udp --dport 161 -j ACCEPT +| > | | # Reject any other input traffic +| > | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +| > | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT > | | --reject-with icmp-host-prohibited+| > | | COMMIT +| > | | | > IPTablesConfig is right. > When I add my nodes to engine, I just approve it. I don't have an > "Automatically configure host firewall" option. (Added Mike Burns) Right. This is the diff between ovirt node and Fedora based node. In oVirt node we expect the FW to have all relevant settings. Mike, do we have these ports opened in the node? Was it changed?
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
