[ovirt-devel] Firewalld migration.

Yedidyah Bar David didi at redhat.com
Tue Mar 28 14:45:17 UTC 2017 

On Tue, Mar 28, 2017 at 5:10 PM, Leon Goldberg <lgoldber at redhat.com> wrote:
> On Tue, Mar 28, 2017 at 3:16 PM, Sven Kieske <s.kieske at mittwald.de> wrote:
>>
>> Hi,
>>
>> just a quick note from the end user /sys admin/dev ops perspective:
>>
>> wouldn't it suffice if you have rules for common config management
>> systems at hand / in the docs/ on github?
>>
>> I like packages the most, that don't try to own the whole system.
>>
>> just provide a saltstack formula and I'm fine ;)
>>
>> just my 2 cent
>>
>> Mit freundlichen Grüßen / Regards
>>
>> Sven Kieske
>>
>> Systemadministrator
>> Mittwald CM Service GmbH & Co. KG
>> Königsberger Straße 6
>> 32339 Espelkamp
>> T: +495772 293100
>> F: +495772 293333
>> https://www.mittwald.de
>> Geschäftsführer: Robert Meyer
>> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
>> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
>> Oeynhausen
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/devel
>
>
>
> After doing a little bit of research, it seems like the previously suggested
> ansible approach could be well suited. We already have an inventory
> script[1] that could be used in combination with firewalld ansible
> playbooks, i.e.:
>
> "ansible-playbook --limit=some-cluster
> --inventory=ovirt-engine-hosts-ansible-inventory.py
> some-cluster-firewalld.yaml"
>
>
> [1]
> https://github.com/oVirt/ovirt-engine-metrics/blob/64fef8c80ec607056b8477f76f2523a1810ba37d/packaging/setup/bin/ovirt-engine-hosts-ansible-inventory.py

Whoever that wants to use this script, please use the shell wrapper
in same directory. If you want to run the python script directly
you have to set PYTHONPATH as is done there.

Regarding the actual idea of using ansible - of course that's doable,
but might not integrate very nicely into the host-deploy process.
host-deploy runs on the host, not on the engine. So we'll have to
do one of these:
1. Copy the ansible stuff to the host, install ansible there, and
run it locally. Ugly imo.
2. Run it semi-independently of host-deploy. In practice this means
it somehow needs to run before it, or nothing will open the vdsm port
and so the engine will fail connecting to it.
3. Change the host-deploy process on the engine side to also run
ansible.
4. Rewrite host-deploy using ansible :-) This actually was discussed
in the past in the integration team, and rejected, but we now know
ansible somewhat better, so might rethink our objections...

Also please note that unless you choose (2.), the above-mentioned
inventory script is not really relevant, because you want to configure
a specific host, and you don't need an inventory script for that.

In ovirt-engine-metrics, we chose (2.) - you can run the ansible
script at any point in time, and it will configure all of the
relevant hosts for sending metrics (if configured on the engine machine).

Best,
-- 
Didi

More information about the Devel mailing list