8:48 p.m.
During setup, I allowed the script to change iptables rules. Is this
necessary? Also, is it an "active" management (where oVirt will make
changes), or just a one-time thing?
I ask because I have some other iptables setup I want (such as limited
SSH access), and I don't want to make changes to iptables that oVirt
will override later or anything like that.
--
Chris Adams <cma(a)cmadams.net>
8:53 p.m.
----- Original Message -----
From: "Chris Adams" <cma(a)cmadams.net>
To: users(a)ovirt.org
Sent: Monday, November 17, 2014 8:48:59 PM
Subject: [ovirt-users] iptables management
During setup, I allowed the script to change iptables rules. Is this
necessary? Also, is it an "active" management (where oVirt will make
changes), or just a one-time thing?
I ask because I have some other iptables setup I want (such as limited
SSH access), and I don't want to make changes to iptables that oVirt
will override later or anything like that.
I guess you mean engine setup, right?
Each time you run engine-setup you will be prompt if you want to override iptables
settings.
If you choose to override, the current settings will be backed up and you can diff and
re-apply your own.
If you choose to keep your settings, setup will write the iptables rules into own location
and you can diff and apply the changes manually.
Alon
11:22 p.m.
Once upon a time, Alon Bar-Lev <alonbl(a)redhat.com> said:
I guess you mean engine setup, right?
Yes, that and hosted-engine --deploy.
Each time you run engine-setup you will be prompt if you want to
override iptables settings.
If you choose to override, the current settings will be backed up and you can diff and
re-apply your own.
If you choose to keep your settings, setup will write the iptables rules into own
location and you can diff and apply the changes manually.
Okay, so that's the only time iptables are changed? That makes sense,
and I can work with that. Thanks.
--
Chris Adams <cma(a)cmadams.net>
8:52 a.m.
----- Original Message -----
From: "Chris Adams" <cma(a)cmadams.net>
To: users(a)ovirt.org
Sent: Monday, November 17, 2014 11:22:42 PM
Subject: Re: [ovirt-users] iptables management
Once upon a time, Alon Bar-Lev <alonbl(a)redhat.com> said:
> I guess you mean engine setup, right?
Yes, that and hosted-engine --deploy.
hosted-engine --deploy does not touch iptables of the engine VM.
engine-setup inside that VM does that.
hosted-engine --deploy does two other things:
1. It changes iptables to let you access the engine VM console (spice/vnc)
2. Later, when it adds itself as a host to the engine, it tells the engine
to configure iptables for itself as a host (just as is the default when adding
hosts through the gui). We have an open bug [1] to make that configurable.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1080823
> Each time you run engine-setup you will be prompt if you want to override
> iptables settings.
> If you choose to override, the current settings will be backed up and you
> can diff and re-apply your own.
> If you choose to keep your settings, setup will write the iptables rules
> into own location and you can diff and apply the changes manually.
Okay, so that's the only time iptables are changed? That makes sense,
and I can work with that. Thanks.
--
Chris Adams <cma(a)cmadams.net>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Didi
8:47 a.m.
----- Original Message -----
From: "Alon Bar-Lev" <alonbl(a)redhat.com>
To: "Chris Adams" <cma(a)cmadams.net>
Cc: users(a)ovirt.org
Sent: Monday, November 17, 2014 8:53:25 PM
Subject: Re: [ovirt-users] iptables management
----- Original Message -----
> From: "Chris Adams" <cma(a)cmadams.net>
> To: users(a)ovirt.org
> Sent: Monday, November 17, 2014 8:48:59 PM
> Subject: [ovirt-users] iptables management
>
> During setup, I allowed the script to change iptables rules. Is this
> necessary? Also, is it an "active" management (where oVirt will make
> changes), or just a one-time thing?
Just to clarify - it's a "one-time", per run of engine-setup as Alon
explained.
The engine does not touch iptables of its machine.
>
> I ask because I have some other iptables setup I want (such as limited
> SSH access), and I don't want to make changes to iptables that oVirt
> will override later or anything like that.
I guess you mean engine setup, right?
Each time you run engine-setup you will be prompt if you want to override
iptables settings.
If you choose to override, the current settings will be backed up and you can
diff and re-apply your own.
And since recently (will be in 3.6 when it's out) we also try to notify
when manual changes were made to iptables since previous engine-setup, see [1].
[1] http://gerrit.ovirt.org/33085
If you choose to keep your settings, setup will write the iptables
rules into
own location and you can diff and apply the changes manually.
And also show details on the console in the end of engine-setup.
--
Didi
3657
days inactive
3658
days old
4 comments
3 participants
participants (3)
-
Alon Bar-Lev -
Chris Adams -
Yedidyah Bar David