How to switch Cluster Firewall Type from iptables to firewalld in RHV

Solution Verified - Updated

Environment

  • Red Hat Virtualization 4.2, 4.3

Issue

  • How to switch from iptables to firewalld cluster firewall.
  • RHV-M shows the following warning:
WARNING: iptables firewall on hosts is deprecated in 4.2 and will be completely removed in 4.3
  • Following error is seen:
Unit iptables.service could not be found.

Resolution

1. Switch the Firewall Type of all the cluster to firewalld:
Compute -> Clusters -> Edit -> Firewall Type -> firewalld
2. Now each Host in the Cluster needs to be re-installed for the change to come into effect. One by one, migrate VMs if necessary and re-install the Hosts.
2.1. Switch the Host to Maintenance Mode
2.2. From the Compute-> Hosts -> Installation dropdown menu list, select "Reinstall" while ensure the box "Automatically configure host firewall" is checked.
2.3. Reboot the host.
2.4. Activate the host, migrate VMs if necessary and proceed to the next Host.

Note: previous custom rules configured using IPTablesConfigSiteCustom will lose effect after changing the Firewall Type, as they only affect iptables firewall type. So if custom rules are still needed, please see RHV: How to customize the Host's firewall rules? on how to set them up using firewalld. Do this before step 2.2 above so a Re-installation can be saved.

Root Cause

Starting from RHV 4.2, firewalld should be used on each Host to configure firewall instead of iptables service. RHV 4.3 still supports iptables, but users should switch as iptables service is deprecated both in RHEL 7 and in RHV 4.2.

Also see:
RHV 4.2 Release Notes
RHV 4.3 Release Notes

Diagnostic Steps

After Cluster Firewall Type change and Re-Install, a host should have firewalld running:

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-06-05 16:26:04 AEST; 4 days ago
     Docs: man:firewalld(1)
 Main PID: 16935 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─16935 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.