docs/dev/libvirt: make firewall instructions consistent

Since we're instructing to use 192.168.122.1 for the libvirt URI, which is apparently what's used by the clusterapi-controller to talk to libvirt, the firewall has to match, otherwise it looks likt this in the logs: ``` E0924 21:26:08.925983 1 controller.go:115] Error checking existance of machine instance for machine object worker-fdtdg; Failed to build libvirt client: virError(Code=38, Domain=7, Message='unable to connect to server at '192.168.122.1:16509': Connection timed out') ```
openshift · Sep 26, 2018 · dfa04e7 · dfa04e7
1 parent 7550824
commit dfa04e7
Showing 1 changed file with 13 additions and 6 deletions.
diff --git a/docs/dev/libvirt-howto.md b/docs/dev/libvirt-howto.md
@@ -28,7 +28,7 @@ curl http://aos-ostree.rhev-ci-vms.eng.rdu2.redhat.com/rhcos/images/cloud/latest
 ### 1.4 Get a pull secret
 Go to https://account.coreos.com/ and obtain a Tectonic *pull secret*.
 
-#### 1.5 Make sure you have permisions for `qemu:///system`
+### 1.5 Make sure you have permissions for `qemu:///system`
 You may want to grant yourself permissions to use libvirt as a non-root user. You could allow all users in the wheel group by doing the following:
 ```sh
 cat <<EOF >> /etc/polkit-1/rules.d/80-libvirt.rules
@@ -78,15 +78,19 @@ libvirtd_opts="--listen"
 Next, restart libvirt: `systemctl restart libvirtd`
 
 #### Firewall
-Finally, if you have a firewall, you may have to allow connections from the IP
-range used by your cluster nodes.  If you're using the default subnet of
-`192.168.124.0/24`, something along these lines should work:
+Finally, if you have a firewall, you may have to allow connections to the
+libvirt daemon from the IP range used by your cluster nodes.
+
+#### Manual management
+The following example rule works for the suggested cluster ipRange of `192.168.124.0/24` and a libvirt *default* subnet of `192.168.122.0/24`, which might be different in your configuration:
 
 ```
-iptables -I INPUT -p tcp -s 192.168.124.0/24 -d 192.168.124.1 --dport 16509 \
+iptables -I INPUT -p tcp -s 192.168.124.0/24 -d 192.168.122.1 --dport 16509 \
   -j ACCEPT -m comment --comment "Allow insecure libvirt clients"
 ```
 
+#### Firewalld
+
 If using `firewalld`, simply obtain the name of the existing active zone which
 can be used to integrate the appropriate source and ports to allow connections from
 the IP range used by your cluster nodes. An example is shown below.
@@ -125,7 +129,10 @@ include the `--permanent` to the commands that add-source and add-port.
     4. Set the `name` (e.g. test1)
     5. Look at the `podCIDR` and `serviceCIDR` fields in the `networking` section. Make sure they don't conflict with anything important.
     6. Set the `pullSecret` to your JSON pull secret.
-    7. (Optional) Change the `image` to the file URL of the operating system image you downloaded (e.g. `file:///home/user/Downloads/rhcos.qcow`). This will allow the installer to re-use that image instead of having to download it every time.
+    7. Ensure the `libvirt.uri` IP address matches your virbr0 interface IP address which belongs to the libvirt *default* network.
+       If you're uncertain about the libvirt *default* subnet you should be able to see its address using the command `ip -4 a show dev virbr0` or by inspecting `virsh --connect qemu:///system net-dumpxml default`.
+    8. Ensure the `libvirt.network.ipRange` does not overlap your virbr0 IP address
+    9. (Optional) Change the `image` to the file URL of the operating system image you downloaded (e.g. `file:///home/user/Downloads/rhcos.qcow`). This will allow the installer to re-use that image instead of having to download it every time.
 
 ### 1.8 Set up NetworkManager DNS overlay
 This step is optional, but useful for being able to resolve cluster-internal hostnames from your host.