Re: [Users] Otopi pre-seeded answers and firewall settings

--_b1996bf5-362a-4f3c-96da-1f6bf59776c1_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Didi=2C I can confirm that using both an ovhe-answers.conf directive: OVEHOSTED_NETWORK/firewallManager=3Dstr:nonexistent and an /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf with: [environment:enforce] NETWORK/iptablesEnable=3Dbool:False results in "ovirt-hosted-engine-setup --config-append=3Dovhe-answers.conf" = leaving iptables rules untouched while adding the second hypervisor host to= an already deployed self-hosted-engine with one physical host. Many thanks again=2C Giuseppe PS: is there any difference in using "ovirt-hosted-engine-setup" vs. "hoste= d-engine --deploy" ? From: giuseppe.ragusa(a)hotmail.com To: didi(a)redhat.com Date: Tue=2C 25 Mar 2014 22:49:36 +0100 CC: users(a)ovirt.org Subject: Re: [Users] Otopi pre-seeded answers and firewall settings =0A= =0A= =0A= Hi Didi=2C many thanks for your invaluable help! I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables= .conf) asap and then I will report back. By the way: I have a really custom iptables setup (multiple separated netwo= rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru= les and then leave them alone (I pre-configure them=2C so the setup procedu= re won't be impeded in its communication needs anyway AND I will always gua= rantee the most stringent filtering possible with default deny ecc.). Many thanks again=2C Giuseppe Date: Tue=2C 25 Mar 2014 04:05:33 -0400 From: didi(a)redhat.com To: giuseppe.ragusa(a)hotmail.com CC: users(a)ovirt.org Subject: Re: [Users] Otopi pre-seeded answers and firewall settings From: "Giuseppe Ragusa" <giuseppe.ragusa(a)hotmail.comTo: "Yedidyah Bar David" <didi(a)redhat.comCc: &quot;Users(a)ovirt.org&quot; <users(a)ovirt.orgSent: Tuesday=2C March 25=2C 2014 1:53:20 AM Subject: RE: [Users] Otopi pre-seeded answers and firewall settings Hi Didi=2C I found the references to NETWORK/iptablesEnable in my engine logs (/var/lo= g/ovirt-engine/host-deploy/ovirt-*.log)=2C but it didn't seem to work after= all. Full logs attached. I resurrected my Engine by rebooting the (still only) host=2C then restarti= ng ovirt-ha-agent (at startup the agent failed while trying to launch vdsm= =2C but I found vdsm running and so tried manually...). OK=2C so it's host-deploy that's doing that.But it's not host-deploy itself= - it's the engine that is talking to it=2C asking it to configure iptables= .I don't know how to make the agent don't do that. I searched a bit the sou= rces (which I don't know)and didn't find a simple way. You can=2C however=2C try to override this by:# mkdir -p /etc/ovirt-host-de= ploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/9= 9-prevent-iptables.conf# echo 'NETWORK/iptablesEnable=3Dbool:False' >> /etc= /ovirt-host-deploy.conf.d/99-prevent-iptables.conf Never tried that=2C and not sure it's recommended - if it does work=2C it m= eans that host-deploy will notupdate iptables=2C but the engine will think = it did. So it's better to find a way to make the engine not dothat. Or=2C b= etter yet=2C that you'll explain why you need this and somehow make the eng= ine do what you want...-- Didi =0A= _______________________________________________=0A= Users mailing list=0A= Users(a)ovirt.org=0A= http://lists.ovirt.org/mailman/listinfo/users = --_b1996bf5-362a-4f3c-96da-1f6bf59776c1_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html<head<style><!-- .hmmessage P { margin:0px=3B padding:0px } body.hmmessage { font-size: 12pt=3B font-family:Calibri } --></style></head<body class=3D'hmmessage'><div dir=3D'ltr'>Hi Didi=2C<br>I can confirm that= using both an ovhe-answers.conf directive:<br>OVEHOSTED_NETWORK/firewallMa= nager=3Dstr:nonexistent<br><br>and an /etc/ovirt-host-deploy.conf.d/99-prev= ent-iptables.conf with:<br>[environment:enforce]<br>NETWORK/iptablesEnable= =3Dbool:False<br><br>results in "ovirt-hosted-engine-setup --config-append= =3Dovhe-answers.conf" leaving iptables rules untouched while adding the sec= ond hypervisor host to an already deployed self-hosted-engine with one phys= ical host.<br><br>Many thanks again=2C<br>Giuseppe<br><br>PS: is there any = difference in using "ovirt-hosted-engine-setup" vs. "hosted-engine --deploy= " ?<br><br><div><hr id=3D"stopSpelling">From: giuseppe.ragusa(a)hotmail.com&lt;b= r>To: didi(a)redhat.com&lt;br&gt;Date: Tue=2C 25 Mar 2014 22:49:36 +0100<br>CC: use= rs(a)ovirt.org&lt;br&gt;Subject: Re: [Users] Otopi pre-seeded answers and firewall = settings<br><br>=0A= =0A= <style><!--=0A= .ExternalClass .ecxhmmessage P {=0A= padding:0px=3B=0A= }=0A= =0A= .ExternalClass body.ecxhmmessage {=0A= font-size:12pt=3B=0A= font-family:Calibri=3B=0A= }=0A= =0A= --></style>=0A= <div dir=3D"ltr">Hi Didi=2C<br>many thanks for your invaluable help!<br><br= s.conf) asap and then I will report back.<br><br>By the way: I have a reall= y custom iptables setup (multiple separated networks on hypervisor hosts)= =2C so I suppose it's best to hand tune firewall rules and then leave them = alone (I pre-configure them=2C so the setup procedure won't be impeded in i= ts communication needs anyway AND I will always guarantee the most stringen= t filtering possible with default deny ecc.).<br><br>Many thanks again=2C<b= r>Giuseppe<br><br><div><hr id=3D"ecxstopSpelling">Date: Tue=2C 25 Mar 2014 = 04:05:33 -0400<br>From: didi(a)redhat.com&lt;br&gt;To: giuseppe.ragusa(a)hotmail.com&lt;= br>CC: users(a)ovirt.org&lt;br&gt;Subject: Re: [Users] Otopi pre-seeded answers and= firewall settings<br><br><div style=3D"font-family:times new roman=2C new = york=2C times=2C serif=3Bfont-size:12pt=3Bcolor:#000000=3B"><div></div><blo= ckquote style=3D"border-left:2px solid #1010FF=3Bpadding-left:5px=3Bcolor:#= 000=3Bfont-weight:normal=3Bfont-style:normal=3Btext-decoration:none=3Bfont-= family:Helvetica=2CArial=2Csans-serif=3Bfont-size:12pt=3B" data-mce-style= =3D"border-left: 2px solid #1010FF=3B margin-left: 5px=3B padding-left: 5px= =3B color: #000=3B font-weight: normal=3B font-style: normal=3B text-decora= tion: none=3B font-family: Helvetica=2CArial=2Csans-serif=3B font-size: 12p= t=3B"><b>From: </b>"Giuseppe Ragusa" &amp;lt=3Bgiuseppe.ragusa(a)hotmail.com&amp;gt= =3B<br><b>To: </b>"Yedidyah Bar David" &amp;lt=3Bdidi(a)redhat.com&amp;gt=3B&lt;br&gt;&lt;b&gt;Cc= : </b&gt;&quot;Users(a)ovirt.org&quot; &amp;lt=3Busers(a)ovirt.org&amp;gt=3B&lt;br&gt;&lt;b&gt;Sent: </b>Tuesday= =2C March 25=2C 2014 1:53:20 AM<br><b>Subject: </b>RE: [Users] Otopi pre-se= eded answers and firewall settings<br><div><br></div><style><!--=0A= .ExternalClass .ecxhmmessage P {=0A= padding:0px=3B=0A= }=0A= =0A= .ExternalClass body.ecxhmmessage {=0A= font-size:12pt=3B=0A= font-family:Calibri=3B=0A= }=0A= =0A= =0A= --></style><div dir=3D"ltr">Hi Didi=2C<br>I found the references to NETWORK= /iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-= *.log)=2C but it didn't seem to work after all.<br><div><br></div>Full logs= attached.<br><div><br></div>I resurrected my Engine by rebooting the (stil= l only) host=2C then restarting ovirt-ha-agent (at startup the agent failed= while trying to launch vdsm=2C but I found vdsm running and so tried manua= lly...).</div></blockquote><div><br></div><div>OK=2C so it's host-deploy th= at's doing that.</div><div>But it's not host-deploy itself - it's the engin= e that is talking to it=2C asking it to configure iptables.</div><div>I don= 't know how to make the agent don't do that. I searched a bit the sources (= which I don't know)</div><div>and didn't find a simple way.</div><div><br><= /div><div>You can=2C however=2C try to override this by:</div><div># mkdir = -p /etc/ovirt-host-deploy.conf.d</div><div># echo '[environment:enforce]' &= gt=3B&nbsp=3B/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><d= iv># echo 'NETWORK/iptablesEnable=3Dbool:False' &gt=3B&gt=3B&nbsp=3B/etc/ov= irt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>Ne= ver tried that=2C and not sure it's recommended - if it does work=2C it mea= ns that host-deploy will not</div><div>update iptables=2C but the engine wi= ll think it did. So it's better to find a way to make the engine not do</di= v><div>that. Or=2C better yet=2C that you'll explain why you need this and = somehow make the engine do what you want...</div><div><span style=3D"font-s= ize:12pt=3B">--&nbsp=3B</span></div><div>Didi</div><div><br></div></div></d= iv> </div>=0A= <br>_______________________________________________=0A= Users mailing list=0A= Users(a)ovirt.org=0A= http://lists.ovirt.org/mailman/listinfo/users</div> </div></body= </html>= --_b1996bf5-362a-4f3c-96da-1f6bf59776c1_--