Project

General

Profile

action #43148

o3: Firewall on worker blocks livehandler daemon to connect to os-autoinst

Added by mkittler almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
2018-10-30
Due date:
% Done:

0%

Estimated time:

Description

The developer mode isn't working on o3. After investigating the issue it seems that the firewall on the worker (tested with openqaworker1) isn't allowing HTTP/WebSocket connections from ariel to the worker. For the developer mode to work this must be allowed.

Note that the HTTP/WebSocket connection is using a port deduced from the test variable QEMUPORT: $bmwqemu::vars{QEMUPORT} + 1.

In practice this is eg. 20033 for the worker instance openqaworker1:3.

History

#1 Updated by mkittler almost 3 years ago

  • Description updated (diff)

#2 Updated by nicksinger almost 3 years ago

  • Status changed from New to In Progress
  • Assignee set to nicksinger

According to coolo the following is missing in the newly created firewalld config:
https://gitlab.suse.de/openqa/salt-states-openqa/blob/master/openqa/SuSEfirewall2.conf#L253

I'd just go with a "disabled" firewall by changing the DefaultZone of firewalld to trusted.

#3 Updated by nicksinger almost 3 years ago

  • Status changed from In Progress to Feedback

I did change the mentioned default to trusted only on openqaworker1 to experiment.
The interactive mode is now working. Still waiting for a cross-check if this didn't break MM tests. If it doesn't, I'll change this on all workers.

#4 Updated by nicksinger almost 3 years ago

  • Status changed from Feedback to Resolved

Since I didn't receive any complains, I've now added the firewalld.conf changes to all other (relevant) workers of o3 (x86_64 transcriptional servers). On openqaworker4 there is no firewalld running. Excerpt from IRC:

12:09 <nsinger> sysrich, okurz any clue why firewalld is only running on some workers? Isn't it all the same setup?
12:10 <okurz> nsinger: I think one of the workers was changed to support multi-machines, isn't firewalld maybe even needed in this case?
12:10 <nsinger> okurz: not exactly needed but helpful, yes :)

I've added the changes there anyway in case we want to enable the worker as multi-machine-worker in the future.

#5 Updated by okurz almost 3 years ago

seems to work fine so far, checked with https://openqa.opensuse.org/tests/816745#live

#6 Updated by mkittler almost 3 years ago

  • Status changed from Resolved to In Progress

okurz Yes, it seems to work on most workers. However, openqaworker1 still (or again) seems to block the connection.

#7 Updated by nicksinger over 2 years ago

  • Status changed from In Progress to Resolved

mkittler wrote:

okurz Yes, it seems to work on most workers. However, openqaworker1 still (or again) seems to block the connection.

Just checked https://openqa.opensuse.org/tests/878609#live, works for me.

Also available in: Atom PDF