action #43148
closedo3: Firewall on worker blocks livehandler daemon to connect to os-autoinst
0%
Description
The developer mode isn't working on o3. After investigating the issue it seems that the firewall on the worker (tested with openqaworker1) isn't allowing HTTP/WebSocket connections from ariel to the worker. For the developer mode to work this must be allowed.
Note that the HTTP/WebSocket connection is using a port deduced from the test variable QEMUPORT: $bmwqemu::vars{QEMUPORT} + 1.
In practice this is eg. 20033 for the worker instance openqaworker1:3.
Updated by nicksinger over 5 years ago
- Status changed from New to In Progress
- Assignee set to nicksinger
According to coolo the following is missing in the newly created firewalld config:
https://gitlab.suse.de/openqa/salt-states-openqa/blob/master/openqa/SuSEfirewall2.conf#L253
I'd just go with a "disabled" firewall by changing the DefaultZone of firewalld to trusted.
Updated by nicksinger over 5 years ago
- Status changed from In Progress to Feedback
I did change the mentioned default to trusted only on openqaworker1 to experiment.
The interactive mode is now working. Still waiting for a cross-check if this didn't break MM tests. If it doesn't, I'll change this on all workers.
Updated by nicksinger over 5 years ago
- Status changed from Feedback to Resolved
Since I didn't receive any complains, I've now added the firewalld.conf changes to all other (relevant) workers of o3 (x86_64 transcriptional servers). On openqaworker4 there is no firewalld running. Excerpt from IRC:
12:09 <nsinger> sysrich, okurz any clue why firewalld is only running on some workers? Isn't it all the same setup?
12:10 <okurz> nsinger: I think one of the workers was changed to support multi-machines, isn't firewalld maybe even needed in this case?
12:10 <nsinger> okurz: not exactly needed but helpful, yes :)
I've added the changes there anyway in case we want to enable the worker as multi-machine-worker in the future.
Updated by okurz over 5 years ago
seems to work fine so far, checked with https://openqa.opensuse.org/tests/816745#live
Updated by mkittler over 5 years ago
- Status changed from Resolved to In Progress
@okurz Yes, it seems to work on most workers. However, openqaworker1 still (or again) seems to block the connection.
Updated by nicksinger about 5 years ago
- Status changed from In Progress to Resolved
mkittler wrote:
@okurz Yes, it seems to work on most workers. However, openqaworker1 still (or again) seems to block the connection.
Just checked https://openqa.opensuse.org/tests/878609#live, works for me.