<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi Didi,<br><br><div><hr id="stopSpelling">Date: Mon, 24 Mar 2014 03:36:32 -0400<br>From: didi@redhat.com<br>To: giuseppe.ragusa@hotmail.com<br>CC: users@ovirt.org<br>Subject: Re: [Users] Otopi pre-seeded answers and firewall settings<br><br><div style="font-family:times new roman, new york, times, serif;font-size:12pt;color:#000000;"><div></div><blockquote style="border-left:2px solid #1010FF;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Giuseppe Ragusa" <giuseppe.ragusa@hotmail.com><br><b>To: </b>"Users@ovirt.org" <users@ovirt.org><br><b>Sent: </b>Sunday, March 23, 2014 10:44:02 PM<br><b>Subject: </b>[Users] Otopi pre-seeded answers and firewall settings<br><div><br></div><style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style><div dir="ltr">Hi all,<br>I'm trying to automate as much as possible of ovirt-hosted-engine-setup and engine-setup by means of otopi answer files passed in using "--config-append=filename.conf".<br><div><br></div>I succeded in forcing engine-setup to leave my iptables settings alone with:<br><div><br></div>OVESETUP_CONFIG/firewallManager=str:iptables<br>OVESETUP_CONFIG/updateFirewall=bool:False</div></blockquote><div><br></div><div>> Right.</div><div><br></div><blockquote style="border-left:2px solid #1010FF;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><br><div><br></div>but ovirt-hosted-engine-setup still modified my iptables settings even with the following options:<br><div><br></div>OVEHOSTED_NETWORK/firewallManager=str:iptables</div></blockquote><div><br></div><div>> Actually I do not think we provide in hosted-engine deploy means to disable this as we do</div><div>> in engine-setup. If you carefully read the code you see that you can make it do nothing by</div><div>> setting this to a non-existent manager, e.g.:</div><div>><br></div><div><span style="font-family:Helvetica, Arial, sans-serif;" data-mce-style="font-family: Helvetica, Arial, sans-serif;">> OVEHOSTED_NETWORK/firewallManager=str:nonexistent<br><br>I will try this asap (reinstalling from scratch using latest 3.4 snapshot packages + latest GlusterFS 3.5 nightly) and will report back.<br></span></div><div><br></div><blockquote style="border-left:2px solid #1010FF;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><br>OVEHOSTED_NETWORK/iptablesEnable=bool:False</div></blockquote><div><br></div><div>> Where did you get this from? Can't find it in the code.<br><br>Nor do I anymore... it must have been my fault, sorry for the confusion<br></div><div><br></div><blockquote style="border-left:2px solid #1010FF;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><div dir="ltr"><br><div><br></div>Maybe I used the wrong option (deduced by looking inside source code).<br><div><br></div>Does anybody have any hint/suggestion?</div></blockquote><div><br></div><div>> The above should prevent 'hosted-engine --deploy' from configuring iptables on the host,</div><div>> and to prevent 'engine-setup' from configuring iptables on the VM. Later, the engine</div><div>> runs 'ovirt-host-deploy' which connects to the host and configures there stuff - some by</div><div>> itself, some using vdsm, and some sent through them directly from the engine. This is</div><div>> a process I know less...<br><br>The timestamp on the saved/modified iptables files suggests something happening right at the end of setup (when Self-Hosted-Engine adds/registers host).<br></div><div><br></div><div>> You can look at and/or post more relevant logs - /var/log/ovirt-engine/host-deploy/* ,</div><div>> /var/log/ovirt-engine/*.log from the engine VM <span style="font-size:12pt;">and /var/log/vdsm/* from the host,</span></div><div><span style="font-size:12pt;">> and also check iptables configuration at various stages - during hosted-engine deploy</span></div><div><span style="font-size:12pt;">> but before connecting to the engine, after, etc.</span></div><div>> -- <br></div><div>> <span></span>Didi<br><span></span><br><span style="font-size:12pt;">/var/log/vdsm/* on host contain no references to iptables</span><br>I will check on Engine logs as soon as I can start it up again (GlusterFS-based NFS keeps crashing, maybe for OOM/leakage).<br><br>Many thanks for your help,<br>Giuseppe<br><br></div></div></div> </div></body>
</html>