4:07 p.m.
This is a cryptographically signed message in MIME format.
--------------ms080509090309000609000409
Content-Type: multipart/mixed;
boundary="------------030901000407030108020606"
This is a multi-part message in MIME format.
--------------030901000407030108020606
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Dne 20.6.2014 0:19, Alon Bar-Lev napsal(a):
----- Original Message -----
> From: "Moti Asayag" <masayag(a)redhat.com> To: "Ji=C5=99=C3=AD
Sl=C3=A9=C5=
=BEka"
> <jiri.slezka(a)slu.cz>, "Alon Bar-Lev"
<abarlev(a)redhat.com> Cc:
> users(a)ovirt.org Sent: Friday, June 20, 2014 1:12:58 AM Subject: Re:
> [ovirt-users] host upgrade from ovirt manager and custom iptables
> rules
>
>
>
> ----- Original Message -----
>> From: "Ji=C5=99=C3=AD Sl=C3=A9=C5=BEka" <jiri.slezka(a)slu.cz> To:
"Mot=
i Asayag"
>> <masayag(a)redhat.com> Cc: users(a)ovirt.org Sent:
Thursday, June 19,
>> 2014 3:25:49 PM Subject: Re: [ovirt-users] host upgrade from
>> ovirt manager and custom iptables rules
>>
>>> ----- Original Message -----
>>>> From: "Ji=C5=99=C3=AD Sl=C3=A9=C5=BEka"
<jiri.slezka(a)slu.cz> To: us=
ers(a)ovirt.org
>>>> Sent: Wednesday, June 18, 2014 8:12:09 PM Subject:
>>>> [ovirt-users] host upgrade from ovirt manager and custom
>>>> iptables rules
>>>>
>>>> Hello all,
>>>>
>>>> is there any way to make custom iptables rules persistent
>>>> during host upgrade? I have for example zabbix agents
>>>> installed on all hosts and thus iptables rule allowing
>>>> connections from our zabbix server. Sadly I have to manually
>>>> restore iptables backup after host upgrade (initiated from
>>>> oVirt manager).
>>>>
>>>
>>> This should be achievable by defining the iptables rules you
>>> wish to use when [re]installing using the engine-config tool:
>>
>> thanks a lot for reply
>>
>>> 1. Check the existing iptables rules: sudo engine-config -g
>>> IPTablesConfig
>>
>> this displays whole iptables template. Interesting thing is that
>> there is a variable @CUSTOM_RULES@. Maybe custom rules could be
>> defined this way?
>>
>
> Adding Alon to reply on @CUSTOM_RULES@
These are to be replaced with gluster specific or virt specific or
both, see IPTablesConfigForVirt, IPTablesConfigForGluster.
I didn't find this variables in engine-config -a (oVirt 3.4.2-1.el6) but =
never mind
I must note that there is no real support for manual modification of
the iptables rules, as once you change it, you do not enjoy future
product updates, such as upcoming kdump fence listener daemon.
However, moti, we can add another vdc config for user defined rules,
it should be sufficient in most cases.
>
>>>
>>> 2. Define the desired iptables: sudo engine-config -s
>>> IPTablesConfig=3D"Your rules"
>>
>> I entered...
>>
>> engine-config -s IPTablesConfig=3D"-A INPUT -p tcp -m state --state
>> NEW -m tcp -s xx.xx.xx.xx --dport 10050 -j ACCEPT"
>>
>> ...and it looks like this overwrite entire IPTablesConfig
>> template...
>>
>>> 3. Verify the changes sudo engine-config -g IPTablesConfig
>>
>> ...because this displays only just my one line above.
>>
>> I have copy of default template but I have no idea how to set
>> this variable with multi line text. I tried inserting \n but it
>> is not converted to newlines. Any ideas?
>
> to me i worked by pasting the file content in the command line:
> engine-config -s IPTablesConfig=3D" <paste multi-line content>"
this didn't work for me but this workaround did :-)
IPRULES=3D$( cat /root/archive/iptables_default.txt )
engine-config -s IPTablesConfig=3D"$IPRULES"
also ovirt-engine has to be restarted to changes take effect
btw. before I created iptables_default.txt with added custom line=20
(before @CUSTOM_RULES@)
=2E..
# zabbix
-A INPUT -p tcp -m state --state NEW -m tcp -s 193.84.206.99 --dport=20
10050 -j ACCEPT
@CUSTOM_RULES@
=2E..
now host's iptables are populated with this modified template upon=20
upgrade. Agree, this is just ugly workaround. I am looking forward to=20
version 3.6 as mentioned in this RFE=20
https://bugzilla.redhat.com/show_bug.cgi?id=3D1111513
Thanks once more!
Jiri
>
>>
>> Btw. these variables are stored in database?
>
> Yes, in vdc_options table:
>
> select * from vdc_options where option_name =3D 'IPTablesConfig';
>
>>
>>
>> Thanks in advance,
>>
>> Jiri
>>
>>
>>
>>>
>>> 4. Restart the engine for changes to take effect
>>>
>>> 5. Reinstall the host and verify the iptables rule.
>>>
>>>> And another question I have always wanted to ask... It looks
>>>> like host upgrade is upgrading just vdsm components and no
>>>> others virtualization stuff
>>>>
>>>> this was updatet after clicking to "host upgrade"
>>>>
>>>> Jun 18 18:21:38 Updated: iproute-2.6.32-32.el6_5.x86_64 Jun
>>>> 18 18:21:59 Installed:
>>>> vdsm-python-zombiereaper-4.14.7-3.el6ev.noarch Jun 18
>>>> 18:21:59 Updated: vdsm-python-4.14.7-3.el6ev.x86_64 Jun 18
>>>> 18:21:59 Updated: vdsm-xmlrpc-4.14.7-3.el6ev.noarch Jun 18
>>>> 18:21:59 Updated: vdsm-cli-4.14.7-3.el6ev.noarch Jun 18
>>>> 18:22:26 Updated: vdsm-4.14.7-3.el6ev.x86_64 Jun 18 18:22:27
>>>> Updated:
>>>> 2:qemu-kvm-rhev-tools-0.12.1.2-2.415.el6_5.10.x86_64
>>>>
>>>> and after that I run yum update and updated this components
>>>> (honestly this one was rhev host but ovirt behave the same)
>>>>
>>>> Jun 18 18:26:59 Updated:
>>>> selinux-policy-3.7.19-231.el6_5.3.noarch Jun 18 18:27:03
>>>> Updated: tzdata-2014d-1.el6.noarch Jun 18 18:27:10 Updated:
>>>> glibc-2.12-1.132.el6_5.2.x86_64 Jun 18 18:27:22 Updated:
>>>> glibc-common-2.12-1.132.el6_5.2.x86_64 Jun 18 18:27:22
>>>> Updated: audit-libs-2.2-4.el6_5.x86_64 Jun 18 18:27:22
>>>> Updated: libxml2-2.7.6-14.el6_5.1.x86_64 Jun 18 18:27:22
>>>> Updated: libcurl-7.19.7-37.el6_5.3.x86_64 Jun 18 18:27:23
>>>> Updated: 2:qemu-img-rhev-0.12.1.2-2.415.el6_5.10.x86_64 Jun
>>>> 18 18:27:23 Updated: libtasn1-2.3-6.el6_5.x86_64 Jun 18
>>>> 18:27:23 Updated: gnutls-2.8.5-14.el6_5.x86_64 Jun 18
>>>> 18:27:25 Updated: openssl-1.0.1e-16.el6_5.14.x86_64 Jun 18
>>>> 18:27:25 Updated: spice-server-0.12.4-6.el6_5.2.x86_64 Jun 18
>>>> 18:27:25 Updated: gnutls-utils-2.8.5-14.el6_5.x86_64 Jun 18
>>>> 18:27:25 Updated: pm-utils-1.2.5-10.el6_5.1.x86_64 Jun 18
>>>> 18:27:28 Updated: libvirt-client-0.10.2-29.el6_5.9.x86_64 Jun
>>>> 18 18:27:30 Updated: libvirt-0.10.2-29.el6_5.9.x86_64 Jun 18
>>>> 18:27:30 Updated: libvirt-python-0.10.2-29.el6_5.9.x86_64 Jun
>>>> 18 18:27:30 Updated: mom-0.4.0-1.el6ev.noarch Jun 18 18:27:30
>>>> Updated: libvirt-lock-sanlock-0.10.2-29.el6_5.9.x86_64 Jun 18
>>>> 18:27:32 Updated:
>>>> 2:qemu-kvm-rhev-0.12.1.2-2.415.el6_5.10.x86_64 Jun 18
>>>> 18:27:32 Updated: python-rhsm-1.9.7-1.el6_5.x86_64 Jun 18
>>>> 18:27:32 Updated: curl-7.19.7-37.el6_5.3.x86_64 Jun 18
>>>> 18:27:33 Updated: libxml2-python-2.7.6-14.el6_5.1.x86_64 Jun
>>>> 18 18:27:33 Updated: audit-libs-python-2.2-4.el6_5.x86_64 Jun
>>>> 18 18:27:33 Updated: audit-2.2-4.el6_5.x86_64 Jun 18 18:27:33
>>>> Updated: mdadm-3.2.6-7.el6_5.2.x86_64 Jun 18 18:27:33
>>>> Updated: python-cpopen-1.3-2.el6_5.x86_64 Jun 18 18:28:30
>>>> Updated: selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
>>>> Jun 18 18:28:30 Updated:
>>>> python-pthreading-0.1.3-1.el6ev.noarch
>>>>
>>>>
>>>> I believe qemu-img-rhev, spice-server, libvirt, mom,... are
>>>> important components too. Should not be upgraded as well?
>>>>
>>>>
>>>> Thanks for clarification,
>>>>
>>>> Jiri
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________ Users mailing
>>>> list Users(a)ovirt.org
>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>
>>
>>
> _______________________________________________ Users mailing list
> Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users
>
--------------030901000407030108020606
Content-Type: text/x-vcard; charset=utf-8;
name="jiri_slezka.vcf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="jiri_slezka.vcf"
YmVnaW46dmNhcmQNCmZuO3F1b3RlZC1wcmludGFibGU6SW5nLiBKaT1DNT05OT1DMz1BRCBT
bD1DMz1BOT1DNT1CRWthDQpuO3F1b3RlZC1wcmludGFibGU7cXVvdGVkLXByaW50YWJsZTpT
bD1DMz1BOT1DNT1CRWthO0ppPUM1PTk5PUMzPUFEDQpvcmc7cXVvdGVkLXByaW50YWJsZTtx
dW90ZWQtcHJpbnRhYmxlOlNsZXpzaz1DMz1BMSB1bml2ZXJ6aXRhIHYgT3Bhdj1DND05QjtD
ZW50cnVtIGluZm9ybWE9QzQ9OERuPUMzPUFEY2ggdGVjaG5vbG9naT1DMz1BRA0KYWRyO3F1
b3RlZC1wcmludGFibGU7cXVvdGVkLXByaW50YWJsZTpOYSBSeWJuPUMzPUFEPUM0PThEa3Ug
MTs7Q0lULCBTbGV6c2s9QzM9QTEgdW5pdmVyeml0YSB2IE9wYXY9QzQ9OUI7T3BhdmE7Ozc0
NjAxO0N6ZWNoIFJlcHVibGljDQplbWFpbDtpbnRlcm5ldDpqaXJpLnNsZXprYUBzbHUuY3oN
CnRpdGxlO3F1b3RlZC1wcmludGFibGU6U3ByPUMzPUExdmNlIHM9QzM9QUR0PUM0PTlCIGEg
YXBsaWthYz1DMz1BRA0KdGVsO3dvcms6KzQyMCA1NTMgNjg0IDY5Ng0KeC1tb3ppbGxhLWh0
bWw6RkFMU0UNCnVybDpodHRwOi8vd3d3LnNsdS5jeg0KdmVyc2lvbjoyLjENCmVuZDp2Y2Fy
ZA0KDQo=
--------------030901000407030108020606--
--------------ms080509090309000609000409
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: Elektronicky podpis S/MIME
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJZjCC
BJswggODoAMCAQICEFVyFjoambpWOjuqgDsl/VswDQYJKoZIhvcNAQEFBQAwOzELMAkGA1UE
BhMCTkwxDzANBgNVBAoTBlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBMB4X
DTEyMTEyNzAwMDAwMFoXDTE0MTEyNzIzNTk1OVowZTELMAkGA1UEBhMCQ1oxJTAjBgNVBAoM
HFNsZXpza8OhIHVuaXZlcnppdGEgdiBPcGF2xJsxGDAWBgNVBAMMD0ppxZnDrSBTbMOpxb5r
YTEVMBMGCSqGSIb3DQEJAhYGc2xlemthMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtbqepY7nJ2kyAZxv/HS4tUEyXDh2ovWpQEI3triEqomfGE0aOqkHB0j/z2Oq0IeC+U91
TIpAoTPP+7fYR5rpcTfWPOW745RW4rJ6lj57Y+ZSqY0ID9vHe2nBxSnY2mWGIg///MWSbWrX
Pbsxoemn6rb5ZP/1W9oPbkdTI3omEsdX2JlLbjYG3tcwxMvvQUMz3XEXMPz/Vi4SsG+1N49X
C+Qw/KI9tYoUqVDZPTQhS4S/zu/ediv2ZH7MwIWo23lhkFU83fDtrpgwsrjIgfHNqIhak0Ly
EuiQlxQGrvBplO29S1odQlJBIOpNQU99DElbtNRb1O3LFAUw4dTjMe7ObwIDAQABo4IBbzCC
AWswHwYDVR0jBBgwFoAUY01DWhlIP8RGwQK6v+4O5YK3ZqYwHQYDVR0OBBYEFGLVBIcIvL2c
hB6HdEbdqflwgrTTMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMEBggrBgEFBQcDAjAYBgNVHSAEETAPMA0GCysGAQQBsjEBAgIdMD8GA1UdHwQ4
MDYwNKAyoDCGLmh0dHA6Ly9jcmwudGNzLnRlcmVuYS5vcmcvVEVSRU5BUGVyc29uYWxDQS5j
cmwwcgYIKwYBBQUHAQEEZjBkMDoGCCsGAQUFBzAChi5odHRwOi8vY3J0LnRjcy50ZXJlbmEu
b3JnL1RFUkVOQVBlcnNvbmFsQ0EuY3J0MCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC50Y3Mu
dGVyZW5hLm9yZzAdBgNVHREEFjAUgRJqaXJpLnNsZXprYUBzbHUuY3owDQYJKoZIhvcNAQEF
BQADggEBAAXIoOnvYifhjAyW1oALfQSl8UemLGYSXiOsoosWx/2yG2/WlULU1lyqOkqztden
dQdt5JZ1Y91HFWRmGGyq+a5kZseYRcpRxEKhJtLngrA24arcvouC/1Wev0RO4d0CKQa/wuC5
yfXIqhn60XJh51mHtbZ4k0jY+U/eNhTWns2Q0NZbR+u3SMrQRa31Df0wmMJvnZkd7cqKF3ur
543ojxAlIVDEUanWPndyljm4ZlAUxmwfmYTd0fRbCl+pDNG+gJnXQO6uvt/yoKNxAaBBFwh0
zmj8k6dCrcpeOKXw+T2mqjSO+6SQBQugGeOSxZA8gZ7rUtf6oNnIZwfxyqoHTVQwggTDMIID
q6ADAgECAhBz/lf637jFCIF7Zrlr8C3vMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJV
UzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUg
VVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2
MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWls
MB4XDTA5MDUxODAwMDAwMFoXDTI4MTIzMTIzNTk1OVowOzELMAkGA1UEBhMCTkwxDzANBgNV
BAoTBlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAyBXZ9TNqI6GQDc+7BUTDqx9KNYUaIYWgT/jwQOJKQ5v+W7Gw
v7RX3HWAQUtkGvbbT2+P0CVFNfnqy0r6+9rT7UWIEZQ25MyoDe/FPTftFnvjwpWeWDN/Ivv4
/+zmvtuuCmUlIofab4SLRuhAhig/v1YI4krpg6LpIvst+rYoH5HBw3H7U8ArTqQMoW6dVe3s
4SSHOgjiDRzkxE3Qyyf6hGTm0ZedViRbk7spLkPiQWo94kpl/JpfWoaHvIfHeYCWmVHGkA9k
kZl9EN2sLAMq4Xhk/s49TvQrUBFL0VjUmwPwf/U7U7BTQ/vFL8QEKRo6rNdV6dEOldE7MX94
T64pLQIDAQABo4IBTTCCAUkwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYD
VR0OBBYEFGNNQ1oZSD/ERsECur/uDuWCt2amMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
CDAGAQH/AgEAMBgGA1UdIAQRMA8wDQYLKwYBBAGyMQECAh0wWAYDVR0fBFEwTzBNoEugSYZH
aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRFbWFpbC5jcmwwbwYIKwYBBQUHAQEEYzBhMDgGCCsGAQUFBzAChixodHRwOi8v
Y3J0LnVzZXJ0cnVzdC5jb20vVVROQUFBQ2xpZW50X0NBLmNydDAlBggrBgEFBQcwAYYZaHR0
cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEABiupUy8T3Fw5FsyG
n15Me3L77I1Vil6aCv9TTHb0Bj1Qz1fwos+vmYyq/qAZdj6ZAzL6dYM4irtrmqUME7LUG3bm
lC5nmFnjkWwCkJqcyGBLVavKiFqNK+VplQMH0dQO/CQiLlmxY6Rf7dkjcuSczjpcbB9PqQDJ
Hf76f0Utti6E3Q8noFkYTtV2JUX0mSZ522+fI/dDuysPBKOBJiy3ezX5PXdfQCHmfx2lllq9
0MsWOmy7YYuK/QQ5RArLLOHLzi4QmBrb4JPtSWRkCCCft6NQ8KLdyrTGfAw9514V3CeG5Do7
UloXq6kGUyudCXNkHAHD/TDShwNv5BUDejlfaDGCAwcwggMDAgEBME8wOzELMAkGA1UEBhMC
TkwxDzANBgNVBAoTBlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBAhBVchY6
Gpm6Vjo7qoA7Jf1bMAkGBSsOAwIaBQCgggGNMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE0MDYyMDEzMDcxNVowIwYJKoZIhvcNAQkEMRYEFAalVcG1QdX9
Ba2Zu6+hqXR/Bn8zMF4GCSsGAQQBgjcQBDFRME8wOzELMAkGA1UEBhMCTkwxDzANBgNVBAoT
BlRFUkVOQTEbMBkGA1UEAxMSVEVSRU5BIFBlcnNvbmFsIENBAhBVchY6Gpm6Vjo7qoA7Jf1b
MGAGCyqGSIb3DQEJEAILMVGgTzA7MQswCQYDVQQGEwJOTDEPMA0GA1UEChMGVEVSRU5BMRsw
GQYDVQQDExJURVJFTkEgUGVyc29uYWwgQ0ECEFVyFjoambpWOjuqgDsl/VswbAYJKoZIhvcN
AQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG
9w0BAQEFAASCAQA9/PkDHZzqZtNkdu1JeVE4QaYLQcRpXSG33lNfcEzaXckYC85JjYyFY+Rf
T2aBRp/4Z+2YSwplC+mu5Rccg73XKVmHiwV1lx8KLhlbXwpqU9YVgaktFcDWRTI3or+NajRc
GiUIInKwMuHA9CyoiWikMTlfZeXMQItxeobeD8W3tj/H80XumXHRozihbtziFnpuhhywYYcF
Rjwdidg/gcVfCdoTAMqNHn1xV10rFxlV4APVhgquliXccuLAbqj/nqUJ3++4+3kIIQVaD9C2
+4OnqwjkBra14OH1n+1CbCF9uQnep2BKeEYv/N0orYianeJ9bkzW+z0GSqmJQSjedC2kAAAA
AAAA
--------------ms080509090309000609000409--