Re: [Engine-devel] Gluster IPTable configuration

----- Original Message ----- > From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > To: "Andrew Cathrow" <acathrow(a)redhat.com&gt; > Cc: engine-devel(a)ovirt.org, "Shireesh Anjal" <sanjal(a)redhat.com&gt;, "Mike Burns" <mburns(a)redhat.com&gt; > Sent: Monday, September 3, 2012 5:09:34 PM > Subject: Re: [Engine-devel] Gluster IPTable configuration > > > > ----- Original Message ----- > > From: "Andrew Cathrow" <acathrow(a)redhat.com&gt; > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > > Cc: engine-devel(a)ovirt.org, "Shireesh Anjal" <sanjal(a)redhat.com&gt;, > > "Mike Burns" <mburns(a)redhat.com&gt; > > Sent: Monday, September 3, 2012 11:57:57 PM > > Subject: Re: [Engine-devel] Gluster IPTable configuration > > <snip> > > > Right now we just overwrite the existing iptables configuration > > with > > our own, so if a user already added a rule to their host - eg. for > > a > > monitoring agent the we stomp over it. > > Adding our rules as a custom chain means that we don't need to > > Here I lost you... :) > > I thought ovirt-engine is the master and ovirt-hypervisor is a slave. > > This derives that all management activities of slave is done by > master... > Let's say I use nagios for my host monitoring. I setup a rhel/fedora/*EL host using my standard corporate and include port 5667/5666 for nagios. ovirt engine connects to it and blocks nagios. While it would be great to have all firewall rules (and other settings) managed from ovirt-engine we are a long way away from that. Adding rules rather than overwriting iptables config would allow us not to stomp on the user's existing settings.

> There should be no setting at slave that master is not aware of. > > This also enables you to duplicate hipervisor, recover configuration > or push mass configuration change. > > In your above case, this rule for monitoring agent may be added at > master repository and pushed to slaves belongs to specific group, > just like the gluster case. yes, but in the 24 months between now and when we get to implement that feature ...... > > The template mechanism is what enable you to create a custom > configuration per environment. > > Using push and not re-integrate derives much simpler and > deterministic implementation. > > But maybe I did not understand some of the fundamental concepts of > the architecture. > > Regards, > Alon. > _______________________________________________ Engine-devel mailing list Engine-devel(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel