We're trying to come up with a way to deploy OVN provider's firewalld services during engine setup. The naive solution of querying the user during customization and then installing during STAGE_PACKAGES fails as firewalld configuration happens prior to it.

We thought of a couple of possible solutions we'd like your opinions on (ordered in perceived level of difficulty):

1) Ship/require the packages with ovirt-engine without requiring user input. This essentially couples engine with OVN and disregards a future where OVN doesn't run alongside Engine.

2) Install the packages immediately following user input during customization. A bit hacky and doesn't conceptually fit the stage of customization.

3) Move user input to STAGE_INTERNAL_PACKAGES. Feels more disruptive than #1 to the current otopi flow as STAGE_INTERNAL_PACKAGES is dedicated for packages that are required for otopi itself to operate. Not only this doesn't fit conceptually, it introduces user input to a stage that shouldn't have any.

4) Move firewalld configuration to happen after STAGE_PACKAGES.

5) Refactor to prepare the grounds for OVN/Engine separation. At this point this feels very ambiguous. We don't yet know how will containers be accessed (is ssh guaranteed?) in the future or generally how should a remote installation look like.

Any input/questions are appreciated.