Re: [ovirt-users] [Users] Otopi pre-seeded answers and firewall settings

Hi Didi, I can confirm that using both an ovhe-answers.conf directive: OVEHOSTED_NETWORK/firewallManager=str:nonexistent and an /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf with: [environment:enforce] NETWORK/iptablesEnable=bool:False results in "ovirt-hosted-engine-setup --config-append=ovhe-answers.conf" leaving iptables rules untouched while adding the second hypervisor host to an already deployed self-hosted-engine with one physical host.

Many thanks again, Giuseppe PS: is there any difference in using "ovirt-hosted-engine-setup" vs. "hosted-engine --deploy" ?

------------------------------------------------------------------------------------------------------------------------------------------------------ From: giuseppe.ragusa(a)hotmail.com To: didi(a)redhat.com Date: Tue, 25 Mar 2014 22:49:36 +0100 CC: users(a)ovirt.org Subject: Re: [Users] Otopi pre-seeded answers and firewall settings Hi Didi, many thanks for your invaluable help! I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I will report back. By the way: I have a really custom iptables setup (multiple separated networks on hypervisor hosts), so I suppose it's best to hand tune firewall rules and then leave them alone (I pre-configure them, so the setup procedure won't be impeded in its communication needs anyway AND I will always guarantee the most stringent filtering possible with default deny ecc.). Many thanks again, Giuseppe ------------------------------------------------------------------------------------------------------------------------------------------------------ Date: Tue, 25 Mar 2014 04:05:33 -0400 From: didi(a)redhat.com To: giuseppe.ragusa(a)hotmail.com CC: users(a)ovirt.org Subject: Re: [Users] Otopi pre-seeded answers and firewall settings *From: *"Giuseppe Ragusa" <giuseppe.ragusa(a)hotmail.com&gt; *To: *"Yedidyah Bar David" <didi(a)redhat.com&gt; *Cc: *&quot;Users(a)ovirt.org&quot; <users(a)ovirt.org&gt; *Sent: *Tuesday, March 25, 2014 1:53:20 AM *Subject: *RE: [Users] Otopi pre-seeded answers and firewall settings Hi Didi, I found the references to NETWORK/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work after all. Full logs attached. I resurrected my Engine by rebooting the (still only) host, then restarting ovirt-ha-agent (at startup the agent failed while trying to launch vdsm, but I found vdsm running and so tried manually...). OK, so it's host-deploy that's doing that. But it's not host-deploy itself - it's the engine that is talking to it, asking it to configure iptables. I don't know how to make the agent don't do that. I searched a bit the sources (which I don't know) and didn't find a simple way. You can, however, try to override this by: # mkdir -p /etc/ovirt-host-deploy.conf.d # echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf # echo 'NETWORK/iptablesEnable=bool:False' >> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf Never tried that, and not sure it's recommended - if it does work, it means that host-deploy will not update iptables, but the engine will think it did. So it's better to find a way to make the engine not do that. Or, better yet, that you'll explain why you need this and somehow make the engine do what you want... -- Didi _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users