[ovirt-users] Doubt about iptables host config

Tue Oct 3 12:00:12 UTC 2017

On Tue, Oct 3, 2017 at 1:49 PM, Gianluca Cecchi
<gianluca.cecchi at gmail.com> wrote:
> On Tue, Oct 3, 2017 at 11:36 AM, Yedidyah Bar David <didi at redhat.com> wrote:
>>
>>
>>
>> I think it should be safe to manually edit /etc/sysconfig/iptables
>> in that case.
>>
>> Of course, verify on a test system.
>>
>> Also, you might be happy to know that in 4.2 we'll support firewalld,
>> which is much nicer to work with than patching/generating
>> /etc/sysconfig/iptables.
>> See also:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=995362
>>
>>
>
> OK, thanks. It worked.
>
> Nice to see the news about firewalld.
>
> And if I want to do the same for the engine, that indeed is configured with
> firewalld?
>
> Currently on it I see this kind of configuration:
>
> [root at ovmgr1 ~]# firewall-cmd --get-default-zone
> public
> [root at ovmgr1 ~]#
>
> [root at ovmgr1 ~]# firewall-cmd --get-active-zones
> public
>   interfaces: ens192
> [root at ovmgr1 ~]#
>
> It seems nrpe is already an usable predefined service:
> [root at ovmgr1 ~]# firewall-cmd --get-services | tr -s ' ' '\n' | grep nrpe
> nrpe
> [root at ovmgr1 ~]#
>
>
> So, based on current config,  I can add it this way:
>
> firewall-cmd --permanent --add-service=nrpe
> firewall-cmd --reload
>
> This way it should survive an engine reboot, but will it survive an
> engine-setup command run when updating configuration or when upgrading
> between minor/major updates?

It should, yes.

> Or should I manage also some oVirt managed files on engine?

engine-setup should in principle never touch existing services, only
add new ones.

This is different with iptables. engine-setup generates a new conf file,
and saves it (also) in /etc/ovirt-engine/iptables.example . On upgrade,
it compares it to the system-wide file /etc/sysconfig/iptables, and if
they differ, it prompts to confirm, optionally showing you the diff.

Regards,
-- 
Didi