Well,looks like 16514 is not open on node. I guess it should,tls migration is new in 3.1,isn't it?
On 20 Sep 2012, at 15:25, Mike Burns <[email protected]> wrote: > On Thu, 2012-09-20 at 06:46 -0400, Doron Fediuck wrote: >> >> ______________________________________________________________________ >> From: "Dmitriy A Pyryakov" <[email protected]> >> To: "Michal Skrivanek" <[email protected]> >> Cc: [email protected] >> Sent: Thursday, September 20, 2012 1:34:46 PM >> Subject: Re: [Users] Fatal error during migration >> >> >> >> Michal Skrivanek <[email protected]> написано >> 20.09.2012 16:23:31: >> >>> От: Michal Skrivanek <[email protected]> >>> Кому: Dmitriy A Pyryakov <[email protected]> >>> Копия: [email protected] >>> Дата: 20.09.2012 16:24 >>> Тема: Re: [Users] Fatal error during migration >>> >>> >>> On Sep 20, 2012, at 12:19 , Dmitriy A Pyryakov wrote: >>> >>>> Michal Skrivanek <[email protected]> написано >> 20.09.201216:13:16: >>>> >>>>> От: Michal Skrivanek <[email protected]> >>>>> Кому: Dmitriy A Pyryakov <[email protected]> >>>>> Копия: [email protected] >>>>> Дата: 20.09.2012 16:13 >>>>> Тема: Re: [Users] Fatal error during migration >>>>> >>>>> >>>>> On Sep 20, 2012, at 12:07 , Dmitriy A Pyryakov wrote: >>>>> >>>>>> Michal Skrivanek <[email protected]> >> написано 20.09. >>> 201216:02:11: >>>>>> >>>>>>> От: Michal Skrivanek <[email protected]> >>>>>>> Кому: Dmitriy A Pyryakov <[email protected]> >>>>>>> Копия: [email protected] >>>>>>> Дата: 20.09.2012 16:02 >>>>>>> Тема: Re: [Users] Fatal error during migration >>>>>>> >>>>>>> Hi, >>>>>>> well, so what is the other side saying? Maybe some >> connectivity >>>>>>> problems between those 2 hosts? firewall? >>>>>>> >>>>>>> Thanks, >>>>>>> michal >>>>>> >>>>>> Yes, firewall is not configured properly by default. >> If I stop it, >>>>> migration done. >>>>>> Thanks. >>>>> The default is supposed to be: >>>>> >>>>> # oVirt default firewall configuration. Automatically >> generated by >>>>> vdsm bootstrap script. >>>>> *filter >>>>> :INPUT ACCEPT [0:0] >>>>> :FORWARD ACCEPT [0:0] >>>>> :OUTPUT ACCEPT [0:0] >>>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>>>> -A INPUT -p icmp -j ACCEPT >>>>> -A INPUT -i lo -j ACCEPT >>>>> # vdsm >>>>> -A INPUT -p tcp --dport 54321 -j ACCEPT >>>>> # libvirt tls >>>>> -A INPUT -p tcp --dport 16514 -j ACCEPT >>>>> # SSH >>>>> -A INPUT -p tcp --dport 22 -j ACCEPT >>>>> # guest consoles >>>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j >> ACCEPT >>>>> # migration >>>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j >> ACCEPT >>>>> # snmp >>>>> -A INPUT -p udp --dport 161 -j ACCEPT >>>>> # Reject any other input traffic >>>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited >>>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT >> --reject-with >>>>> icmp-host-prohibited >>>>> COMMIT >>>> >>>> my default is: >>>> >>>> # cat /etc/sysconfig/iptables >>>> # oVirt automatically generated firewall configuration >>>> *filter >>>> :INPUT ACCEPT [0:0] >>>> :FORWARD ACCEPT [0:0] >>>> :OUTPUT ACCEPT [0:0] >>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >>>> -A INPUT -p icmp -j ACCEPT >>>> -A INPUT -i lo -j ACCEPT >>>> #vdsm >>>> -A INPUT -p tcp --dport 54321 -j ACCEPT >>>> # SSH >>>> -A INPUT -p tcp --dport 22 -j ACCEPT >>>> # guest consoles >>>> -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT >>>> # migration >>>> -A INPUT -p tcp -m multiport --dports 49152:49216 -j >> ACCEPT >>>> # snmp >>>> -A INPUT -p udp --dport 161 -j ACCEPT >>>> # >>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited >>>> -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT >> --reject- >>> with icmp-host-prohibited >>>> COMMIT >>>> >>>>> >>>>> did you change it manually or is the default missing >> anything? >>>> >>>> default missing "libvirt tls" field. >>> was it an upgrade of some sort? >> No. >> >>> These are installed at node setup >>> from ovirt-engine. Check the engine version and/or the >>> IPTablesConfig in vdc_options table on engine >> >> oVirt engine version: 3.1.0-2.fc17 >> >> engine=# select * from vdc_options where option_id=100; >> option_id | option_name | option_value | version >> >> -----------+----------------+-------------------------------------------------------------------------------------------+--------- >> 100 | IPTablesConfig | # oVirt default firewall configuration. >> Automatically generated by vdsm bootstrap script.+| general >> | | *filter +| >> | | :INPUT ACCEPT [0:0] +| >> | | :FORWARD ACCEPT [0:0] +| >> | | :OUTPUT ACCEPT [0:0] +| >> | | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +| >> | | -A INPUT -p icmp -j ACCEPT +| >> | | -A INPUT -i lo -j ACCEPT +| >> | | # vdsm +| >> | | -A INPUT -p tcp --dport 54321 -j ACCEPT +| >> | | # libvirt tls +| >> | | -A INPUT -p tcp --dport 16514 -j ACCEPT +| >> | | # SSH +| >> | | -A INPUT -p tcp --dport 22 -j ACCEPT +| >> | | # guest consoles +| >> | | -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT >> +| >> | | # migration +| >> | | -A INPUT -p tcp -m multiport --dports 49152:49216 -j >> ACCEPT +| >> | | # snmp +| >> | | -A INPUT -p udp --dport 161 -j ACCEPT +| >> | | # Reject any other input traffic +| >> | | -A INPUT -j REJECT --reject-with icmp-host-prohibited +| >> | | -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT >> --reject-with icmp-host-prohibited+| >> | | COMMIT +| >> | | | >> >> IPTablesConfig is right. >> >> When I add my nodes to engine, I just approve it. I don't have >> an "Automatically configure host firewall" option. >> >> >> >> (Added Mike Burns) >> Right. >> This is the diff between ovirt node and Fedora based node. >> In oVirt node we expect the FW to have all relevant settings. >> >> Mike, do we have these ports opened in the node? >> Was it changed? > > Yes, the ports are open and no, it hasn't changed in a long time: > > cat > /etc/sysconfig/iptables << \EOF > # oVirt automatically generated firewall configuration > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A INPUT -p icmp -j ACCEPT > -A INPUT -i lo -j ACCEPT > #vdsm > -A INPUT -p tcp --dport 54321 -j ACCEPT > # SSH > -A INPUT -p tcp --dport 22 -j ACCEPT > # guest consoles > -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT > # migration > -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT > # snmp > -A INPUT -p udp --dport 161 -j ACCEPT > # > -A INPUT -j REJECT --reject-with icmp-host-prohibited > -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with > icmp-host-prohibited > COMMIT > EOF > >> > > _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
