<div dir="ltr"><div>Giuseppe,<br><br>I should have clarified. I meant to blacklist the packages only for a short time, while you add the nodes to the oVirt environment. Once everything was set up, you would remove these restrictions and yum install iptables. You'd then configure to taste.<br>
<br></div><div>Glad to hear of your success with the conf file method, though.<br><br>Thanks,<br>Joshua<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 25, 2014 at 6:15 PM, Giuseppe Ragusa <span dir="ltr"><<a href="mailto:giuseppe.ragusa@hotmail.com" target="_blank">giuseppe.ragusa@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Hi Joshua,<br>many thanks for your suggestion which I suppose would work perfectly, but I actually want iptables (CentOS 6.5 here, so no firewalld) rules in place all the time, but only "MY OWN" iptables rules ;><br>
<br>Regards,<br>Giuseppe<br><br><div><hr>Date: Tue, 25 Mar 2014 18:04:04 -0400<br>Subject: Re: [Users] Otopi pre-seeded answers and firewall settings<br>From: <a href="mailto:josh@wrale.com" target="_blank">josh@wrale.com</a><br>
To: <a href="mailto:giuseppe.ragusa@hotmail.com" target="_blank">giuseppe.ragusa@hotmail.com</a><br><br><div dir="ltr"><div>Perhaps you could add the iptables and firewalld packages to yum.conf as excludes. I don't know if this would fail silently, but if so, the engine installer would never know.<br>
<br></div>Thanks,<br>
Joshua<br></div><div><br><br><div>On Tue, Mar 25, 2014 at 5:49 PM, Giuseppe Ragusa <span dir="ltr"><<a href="mailto:giuseppe.ragusa@hotmail.com" target="_blank">giuseppe.ragusa@hotmail.com</a>></span> wrote:<br>
<blockquote style="border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Hi Didi,<br>many thanks for your invaluable help!<br><br>I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I will report back.<br><br>By the way: I have a really custom iptables setup (multiple separated networks on hypervisor hosts), so I suppose it's best to hand tune firewall rules and then leave them alone (I pre-configure them, so the setup procedure won't be impeded in its communication needs anyway AND I will always guarantee the most stringent filtering possible with default deny ecc.).<br>
<br>Many thanks again,<br>Giuseppe<br><br><div><hr>Date: Tue, 25 Mar 2014 04:05:33 -0400<br>From: <a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a><br>To: <a href="mailto:giuseppe.ragusa@hotmail.com" target="_blank">giuseppe.ragusa@hotmail.com</a><br>
CC: <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>Subject: Re: [Users] Otopi pre-seeded answers and firewall settings<br><br><div style="font-size:12pt;font-family:times new roman,new york,times,serif">
<div></div><blockquote style="padding-left:5px;font-size:12pt;font-style:normal;font-family:Helvetica,Arial,sans-serif;text-decoration:none;font-weight:normal;border-left:2px solid #1010ff"><b>From: </b>"Giuseppe Ragusa" <<a href="mailto:giuseppe.ragusa@hotmail.com" target="_blank">giuseppe.ragusa@hotmail.com</a>><br>
<b>To: </b>"Yedidyah Bar David" <<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>><br><b>Cc: </b>"<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>" <<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br>
<b>Sent: </b>Tuesday, March 25, 2014 1:53:20 AM<br><b>Subject: </b>RE: [Users] Otopi pre-seeded answers and firewall settings<br><div><br></div><div dir="ltr">Hi Didi,<br>I found the references to NETWORK/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work after all.<br>
<div><br></div>Full logs attached.<br><div><br></div>I resurrected my Engine by rebooting the (still only) host, then restarting ovirt-ha-agent (at startup the agent failed while trying to launch vdsm, but I found vdsm running and so tried manually...).</div>
</blockquote><div><br></div><div>OK, so it's host-deploy that's doing that.</div><div>But it's not host-deploy itself - it's the engine that is talking to it, asking it to configure iptables.</div><div>I don't know how to make the agent don't do that. I searched a bit the sources (which I don't know)</div>
<div>and didn't find a simple way.</div><div><br></div><div>You can, however, try to override this by:</div><div># mkdir -p /etc/ovirt-host-deploy.conf.d</div><div># echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div>
<div># echo 'NETWORK/iptablesEnable=bool:False' >> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>Never tried that, and not sure it's recommended - if it does work, it means that host-deploy will not</div>
<div>update iptables, but the engine will think it did. So it's better to find a way to make the engine not do</div><div>that. Or, better yet, that you'll explain why you need this and somehow make the engine do what you want...</div>
<span class="HOEnZb"><font color="#888888">
<span><font color="#888888"><div><span style="font-size:12pt">-- </span></div><div>Didi</div><div><br></div></font></span></font></span></div></div><span class="HOEnZb"><font color="#888888"> </font></span></div>
</div><span class="HOEnZb"><font color="#888888">
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></font></span></blockquote></div><br></div></div> </div></div>
</blockquote></div><br></div>