<div dir="ltr"><div><div><div><div>Giuseppe, et. al<br><br>I gave up on my six-server hosted engine install, partly for this reason. In addition to this problem, I found that I couldn't use a bridge of my own naming. Then, trying to associate interfaces with bridges in the web interface, my hand-tuned bridges were fatally clobbered. Like, the files I wrote by hand in /etc/sysconfig/ifcfg-*, bridges, and interfaces (some with VLANs) alike. And other things... like the Westmere vs. Ivy Bridge thing.<br>
<br></div>Anyway, I think what's happening to your install is that iptables on the host is getting clobbered by the automatic "install" that happens when the hosted-engine setup script finally contacts the engine the for the first time. I'm not sure how to keep this from happening, but it's a place to start. And I think it's the reason your setting False didn't help. By the way, it took a two hour test for me to learn that even removing the /etc/sysconfig/iptables file AND stopping AND disabling iptables via systemctl on both host and engine did nothing to combat this behavior.<br>
<br></div>Back when I set up 3.0, I saw similar behavior. At that time though, the iptables thing wasn't fatal. I observed here that this overwriting and enabling/starting of iptables causes the very lest part of the hosted-engine setup script to fail miserably. As a result of the engine not being able to contact the host at the end of its "install" phase, the H/A configuration is never done. This is my theory, anyway.<br>
<br>I think oVirt should leave the firewall _completely_ alone and just document what ports should be open. I don't think we need that special line at the bottom of /etc/sysconfig/iptables oVirt puts in there. I'll stop rambling now. :-) I like oVirt, but getting so far into this that I have a have two hour turnaround every time I want to test a minor tweak is just too much. I think this will get better in time, I hope. At that time, maybe I'll try again.<br>
<br></div>Here's what libvirt has to say about iptables vs. bridges:<br><br>"""<br><p>The final step is to disable netfilter on the bridge:
</p>
<pre> # cat >> /etc/sysctl.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
EOF
# sysctl -p /etc/sysctl.conf
</pre>
<p>It is recommended to do this for performance and security reasons. See <a href="https://bugzilla.redhat.com/512206" title="https://bugzilla.redhat.com/512206" rel="nofollow" target="_blank">Fedora bug #512206</a>. Alternatively you can configure iptables to allow all traffic to be forwarded across the bridge:
</p>
<pre># echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > /etc/sysconfig/iptables-forward-bridged
# lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
# service libvirtd reload
</pre>
""" source: <a href="http://wiki.libvirt.org/page/Networking#Creating_network_initscripts" target="_blank">http://wiki.libvirt.org/page/Networking#Creating_network_initscripts</a><br><br></div><div>You might be interested to know that you can pre-populate <a href="http://vm.conf.in">vm.conf.in</a> in /usr/share, before the install. Here was mine:<br>
<br><pre><code>vmId=@VM_UUID@
memSize=@MEM_SIZE@
display=@CONSOLE_TYPE@
devices={index:2,iface:ide,address:{ controller:0, target:0,unit:0, bus:1, type:drive},specParams:{},readonly:true,deviceId:@CDROM_UUID@,path:@CDROM@,device:cdrom,shared:false,type:disk@BOOT_CDROM@}
devices={index:0,iface:virtio,format:raw,poolID:@SP_UUID@,volumeID:@VOL_UUID@,imageID:@IMG_UUID@,specParams:{},readonly:false,domainID:@SD_UUID@,optional:false,deviceId:@IMG_UUID@,address:{bus:0x00, slot:0x06, domain:0x0000, type:pci, function:0x0},device:disk,shared:exclusive,propagateErrors:off,type:disk@BOOT_DISK@}
devices={device:scsi,model:virtio-scsi,type:controller}
devices={device:console,specParams:{},type:console,deviceId:@CONSOLE_UUID@,alias:console0}
vmName=@NAME@
spiceSecureChannels=smain,sdisplay,sinputs,scursor,splayback,srecord,ssmartcard,susbredir
smp=@VCPUS@
cpuType=@CPU_TYPE@
emulatedMachine=@EMULATED_MACHINE@
devices={nicModel:pv,macAddr:00:16:3e:3d:78:10,linkActive:true,network:brbaseboard,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf10,address:{bus:0x01, slot:0x01, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface}
devices={nicModel:pv,macAddr:@MAC_ADDR@,linkActive:true,network:@BRIDGE@,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:@NIC_UUID@,address:{bus:0x01, slot:0x02, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface@BOOT_PXE@}
devices={nicModel:pv,macAddr:00:16:3e:3d:78:30,linkActive:true,network:brstorage,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf30,address:{bus:0x01, slot:0x03, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface}
devices={nicModel:pv,macAddr:00:16:3e:3d:78:40,linkActive:true,network:brcompute,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf40,address:{bus:0x01, slot:0x04, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface}
devices={nicModel:pv,macAddr:00:16:3e:3d:78:00,linkActive:true,network:brpublic,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf00,address:{bus:0x01, slot:0x5, domain:0x0000, type:pci,function:0x0},device:bridge,type:interface}
</code></pre><br></div><div>Here's my answers file for the hosted-engine script (This was a version where I was testing manual selection of iptables=false):<br><br><pre><code>[environment:default]
OVEHOSTED_NETWORK/bridgeIf=str:p1p1
OVEHOSTED_NETWORK/bridgeName=str:brinternal
OVEHOSTED_NETWORK/fqdn=str:<a href="http://ovirt-engine-n1.redacted.com">ovirt-engine-n1.redacted.com</a>
OVEHOSTED_NETWORK/gateway=str:55.55.55.1
OVEHOSTED_NOTIF/destEmail=str:root@localhost
OVEHOSTED_NOTIF/smtpPort=str:25
OVEHOSTED_NOTIF/smtpServer=str:localhost
OVEHOSTED_NOTIF/sourceEmail=str:root@localhost
OVEHOSTED_STORAGE/connectionUUID=str:0f639e4f-8b4e-4c97-aa34-79e71ccc615a
OVEHOSTED_STORAGE/domainType=str:nfs3
OVEHOSTED_STORAGE/imgSizeGB=str:64
OVEHOSTED_STORAGE/imgUUID=str:63121632-e3b6-42c1-829d-8ebc37a6e6a6
OVEHOSTED_STORAGE/sdUUID=str:4de7efd5-39fa-46c1-9116-53fd34d13630
OVEHOSTED_STORAGE/spUUID=str:0afa6614-c6d2-4390-b2e8-8efdf19a7e2b
OVEHOSTED_STORAGE/storageDatacenterName=str:dc_ssd-vol-ovirt-engine-n001
OVEHOSTED_STORAGE/storageDomainConnection=str:10.30.3.9:/ssd-vol-ovirt-engine-n001
OVEHOSTED_STORAGE/storageDomainName=str:sd_ssd-vol-ovirt-engine-n001
OVEHOSTED_STORAGE/volUUID=str:7d512edc-d939-4abe-bfb3-c3828fad7b3c
OVEHOSTED_VDSM/caSubject=str:/C=EN/L=Test/O=Test/CN=TestCA
OVEHOSTED_VDSM/consoleType=str:vnc
OVEHOSTED_VDSM/cpu=str:model_Westmere
OVEHOSTED_VDSM/pkiSubject=str:/C=EN/L=Test/O=Test/CN=Test
OVEHOSTED_VDSM/spicePkiSubject=str:C=EN, L=Test, O=Test, CN=Test
OVEHOSTED_VM/cdromUUID=str:f68ce9dc-51a7-43d7-aff3-5c57f08c5ff1
OVEHOSTED_VM/consoleUUID=str:01667bb2-cc81-4e09-b751-af356ae44136
OVEHOSTED_VM/emulatedMachine=str:pc
OVEHOSTED_VM/nicUUID=str:ab3f9ae9-1d1b-432e-997d-f3458f89cf20
OVEHOSTED_VM/ovfArchive=none:None
OVEHOSTED_VM/vmBoot=str:cdrom
OVEHOSTED_VM/vmCDRom=str:/opt/iso/Fedora-19-x86_64-DVD.iso
OVEHOSTED_VM/vmMACAddr=str:00:16:3e:3d:78:20
OVEHOSTED_VM/vmMemSizeMB=str:8192
OVEHOSTED_VM/vmUUID=str:ad0a46d7-3974-4511-a341-7a6def000cbb
OVEHOSTED_VM/vmVCpus=str:2</code><br></pre></div><div><br></div>Thanks,<br>Joshua<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Mar 23, 2014 at 4:44 PM, Giuseppe Ragusa <span dir="ltr"><<a href="mailto:giuseppe.ragusa@hotmail.com" target="_blank">giuseppe.ragusa@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Hi all,<br>I'm trying to automate as much as possible of ovirt-hosted-engine-setup and engine-setup by means of otopi answer files passed in using "--config-append=filename.conf".<br><br>
I succeded in forcing engine-setup to leave my iptables settings alone with:<br><br>OVESETUP_CONFIG/firewallManager=str:iptables<br>OVESETUP_CONFIG/updateFirewall=bool:False<br><br>but ovirt-hosted-engine-setup still modified my iptables settings even with the following options:<br>
<br>OVEHOSTED_NETWORK/firewallManager=str:iptables<br>OVEHOSTED_NETWORK/iptablesEnable=bool:False<br><br>Maybe I used the wrong option (deduced by looking inside source code).<br><br>Does anybody have any hint/suggestion?<br>
<br>Many thanks in advance,<br>Giuseppe<br> </div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>