Yesterday while trying to get SecurityOnion set up on my oVirt node I ran into a little trouble with loading the ISO into its storage domain. For those of you with limited time here’s the basic solution:

  1. Login to oVirt administrative console and create a new ISO domain.
  2. SSH into an oVirt Engine VM and download the ISO you want to load into your cluster.
  3. List available ISO domains with engine-iso-uploader list.
  4. Upload ISO to domain with engine-iso-uploader --iso-domain=<Domain Name> upload <ISO path>

Now while I was trying to accomplish those four simple tasks I did run into a minor additional issue. My ISO domain is hosted as an NFS share off of my oVirt host server with the following configuration in /etc/exports.

/var/nfs/iso    192.168.0.0/24(rw,root_squash)

The directory has the correct permissions from chown -R vdsm:kvm /var/nfs/iso and was created successfully in the oVirt UI. However, when I tried to run the upload I got an error from mount.nfs that there was no route to host and thus the upload failed.

That was definitely surprising because if there were no route to the host, the Engine couldn’t perform its primary task! That means permission or firewall problems. I double checked the permissions and the NFS configuration before looking at the host firewall where I found the issue! Usually host firewalls are configured to allow any local connection back to the server and block connections coming from outside. The oVirt host which served the NFS shares and also mounted them for oVirt didn’t have any trouble because it was using effectively a loopback connection. However, since the engine VM looked like an external IP it was bouncing off of the firewall. The solution is to permit four services through the NFS host firewall either by using the Cockpit UI that oVirt installs or firewalld directly. If using Cockpit you need to enable NFS3, NFS4, mountd, and rpc-bind on the Public zone. If modifying from the CLI you can skip a command and just use the following:

$ firewall-cmd --permanent --zone=public --add-service=nfs
$ firewall-cmd --permanent --zone=public --add-service=mountd
$ firewall-cmd --permanent --zone=public --add-service=rpc-bind
$ firewall-cmd --reload

Once I did that, the upload finished just fine and I was able to see my new ISO in the oVirt UI.

References