--_64b96cf8-fdd4-4df4-bf3e-459817379ccc_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Joshua=2C many thanks for your suggestion which I suppose would work perfectly=2C but= I actually want iptables (CentOS 6.5 here=2C so no firewalld) rules in pla= ce all the time=2C but only "MY OWN" iptables rules =3B> Regards=2C Giuseppe Date: Tue=2C 25 Mar 2014 18:04:04 -0400 Subject: Re: [Users] Otopi pre-seeded answers and firewall settings From: josh(a)wrale.com To: giuseppe.ragusa(a)hotmail.com Perhaps you could add the iptables and firewalld packages to yum.conf as ex= cludes. I don't know if this would fail silently=2C but if so=2C the engin= e installer would never know. Thanks=2C =0A= Joshua On Tue=2C Mar 25=2C 2014 at 5:49 PM=2C Giuseppe Ragusa <giuseppe.ragusa@hot= mail.com> wrote: =0A= =0A= =0A= =0A= Hi Didi=2C many thanks for your invaluable help! I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables= .conf) asap and then I will report back. By the way: I have a really custom iptables setup (multiple separated netwo= rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru= les and then leave them alone (I pre-configure them=2C so the setup procedu= re won't be impeded in its communication needs anyway AND I will always gua= rantee the most stringent filtering possible with default deny ecc.). =0A= Many thanks again=2C Giuseppe Date: Tue=2C 25 Mar 2014 04:05:33 -0400 From: didi(a)redhat.com To: giuseppe.ragusa(a)hotmail.com =0A= CC: users(a)ovirt.org Subject: Re: [Users] Otopi pre-seeded answers and firewall settings =0A= From: "Giuseppe Ragusa" <giuseppe.ragusa(a)hotmail.com&gt; =0A= To: "Yedidyah Bar David" <didi(a)redhat.com&gt; Cc: &quot;Users(a)ovirt.org&quot; <users(a)ovirt.org&gt; =0A= Sent: Tuesday=2C March 25=2C 2014 1:53:20 AM Subject: RE: [Users] Otopi pre-seeded answers and firewall settings Hi Didi=2C I found the references to NETWORK/iptablesEnable in my engine logs (/var/lo= g/ovirt-engine/host-deploy/ovirt-*.log)=2C but it didn't seem to work after= all. =0A= Full logs attached. I resurrected my Engine by rebooting the (still only) host=2C then restarti= ng ovirt-ha-agent (at startup the agent failed while trying to launch vdsm= =2C but I found vdsm running and so tried manually...).=0A= OK=2C so it's host-deploy that's doing that.But it's not host-deploy itself= - it's the engine that is talking to it=2C asking it to configure iptables= .I don't know how to make the agent don't do that. I searched a bit the sou= rces (which I don't know)=0A= and didn't find a simple way. You can=2C however=2C try to override this by:# mkdir -p /etc/ovirt-host-de= ploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/9= 9-prevent-iptables.conf=0A= # echo 'NETWORK/iptablesEnable=3Dbool:False' >> /etc/ovirt-host-deploy.conf= .d/99-prevent-iptables.conf Never tried that=2C and not sure it's recommended - if it does work=2C it m= eans that host-deploy will not=0A= update iptables=2C but the engine will think it did. So it's better to find= a way to make the engine not dothat. Or=2C better yet=2C that you'll expla= in why you need this and somehow make the engine do what you want...=0A= -- Didi =0A= _______________________________________________ =0A= Users mailing list =0A= Users(a)ovirt.org =0A= http://lists.ovirt.org/mailman/listinfo/users =0A= = --_64b96cf8-fdd4-4df4-bf3e-459817379ccc_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <style><!-- .hmmessage P { margin:0px=3B padding:0px } body.hmmessage { font-size: 12pt=3B font-family:Calibri } --></style></head> <body class=3D'hmmessage'><div dir=3D'ltr'>Hi Joshua=2C<br>many thanks for = your suggestion which I suppose would work perfectly=2C but I actually want= iptables (CentOS 6.5 here=2C so no firewalld) rules in place all the time= =2C but only "MY OWN" iptables rules =3B&gt=3B<br><br>Regards=2C<br>Giusepp= e<br><br><div><hr id=3D"stopSpelling">Date: Tue=2C 25 Mar 2014 18:04:04 -04= 00<br>Subject: Re: [Users] Otopi pre-seeded answers and firewall settings<b= r>From: josh(a)wrale.com&lt;br&gt;To: giuseppe.ragusa(a)hotmail.com&lt;br&gt;&lt;br&gt;&lt;div dir= =3D"ltr"><div>Perhaps you could add the iptables and firewalld packages to = yum.conf as excludes.&nbsp=3B I don't know if this would fail silently=2C b= ut if so=2C the engine installer would never know.<br><br></div>Thanks=2C<b= r>=0A= Joshua<br></div><div class=3D"ecxgmail_extra"><br><br><div class=3D"ecxgmai= l_quote">On Tue=2C Mar 25=2C 2014 at 5:49 PM=2C Giuseppe Ragusa <span dir= =3D"ltr">&lt=3B<a href=3D"mailto:giuseppe.ragusa@hotmail.com" target=3D"_bl= ank&quot;&gt;giuseppe.ragusa(a)hotmail.com&lt;/a&gt;&amp;gt=3B&lt;/span&gt; wrote:<br>=0A= <blockquote class=3D"ecxgmail_quote" style=3D"border-left:1px #ccc solid=3B= padding-left:1ex=3B">=0A= =0A= =0A= <div><div dir=3D"ltr">Hi Didi=2C<br>many thanks for your invaluable help!<b= r><br>I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-ip= tables.conf) asap and then I will report back.<br><br>By the way: I have a = really custom iptables setup (multiple separated networks on hypervisor hos= ts)=2C so I suppose it's best to hand tune firewall rules and then leave th= em alone (I pre-configure them=2C so the setup procedure won't be impeded i= n its communication needs anyway AND I will always guarantee the most strin= gent filtering possible with default deny ecc.).<br>=0A= <br>Many thanks again=2C<br>Giuseppe<br><br><div><hr>Date: Tue=2C 25 Mar 20= 14 04:05:33 -0400<br>From: <a href=3D"mailto:didi@redhat.com" target=3D"_bl= ank&quot;&gt;didi(a)redhat.com&lt;/a&gt;&lt;br&gt;To: <a href=3D"mailto:giuseppe.ragusa@hotmail.c= om" target=3D&quot;_blank&quot;&gt;giuseppe.ragusa(a)hotmail.com&lt;/a&gt;&lt;br&gt;=0A= CC: <a href=3D"mailto:users@ovirt.org" target=3D&quot;_blank&quot;&gt;users(a)ovirt.org&lt;/a= =2Ctimes=2Cserif=3B">=0A= <div></div><blockquote style=3D"padding-left:5px=3Bfont-size:12pt=3Bfont-st= yle:normal=3Bfont-family:Helvetica=2CArial=2Csans-serif=3Btext-decoration:n= one=3Bfont-weight:normal=3Bborder-left:2px solid #1010ff=3B"><b>From: </b>"= Giuseppe Ragusa" &lt=3B<a href=3D"mailto:giuseppe.ragusa@hotmail.com" targe= t=3D&quot;_blank&quot;&gt;giuseppe.ragusa(a)hotmail.com&lt;/a&gt;&amp;gt=3B&lt;br&gt;=0A= <b>To: </b>"Yedidyah Bar David" &lt=3B<a href=3D"mailto:didi@redhat.com" ta= rget=3D&quot;_blank&quot;&gt;didi(a)redhat.com&lt;/a&gt;&amp;gt=3B&lt;br&gt;&lt;b&gt;Cc: </b>"<a href=3D"mailto:= Users(a)ovirt.org&quot; target=3D&quot;_blank&quot;&gt;Users(a)ovirt.org&lt;/a&gt;&quot; &lt=3B<a href=3D"ma= ilto:users@ovirt.org" target=3D&quot;_blank&quot;&gt;users(a)ovirt.org&lt;/a&gt;&amp;gt=3B&lt;br&gt;=0A= <b>Sent: </b>Tuesday=2C March 25=2C 2014 1:53:20 AM<br><b>Subject: </b>RE: = [Users] Otopi pre-seeded answers and firewall settings<br><div><br></div><d= iv dir=3D"ltr">Hi Didi=2C<br>I found the references to NETWORK/iptablesEnab= le in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log)=2C but= it didn't seem to work after all.<br>=0A= <div><br></div>Full logs attached.<br><div><br></div>I resurrected my Engin= e by rebooting the (still only) host=2C then restarting ovirt-ha-agent (at = startup the agent failed while trying to launch vdsm=2C but I found vdsm ru= nning and so tried manually...).</div>=0A= </blockquote><div><br></div><div>OK=2C so it's host-deploy that's doing tha= t.</div><div>But it's not host-deploy itself - it's the engine that is talk= ing to it=2C asking it to configure iptables.</div><div>I don't know how to= make the agent don't do that. I searched a bit the sources (which I don't = know)</div>=0A= <div>and didn't find a simple way.</div><div><br></div><div>You can=2C howe= ver=2C try to override this by:</div><div># mkdir -p /etc/ovirt-host-deploy= .conf.d</div><div># echo '[environment:enforce]' &gt=3B&nbsp=3B/etc/ovirt-h= ost-deploy.conf.d/99-prevent-iptables.conf</div>=0A= <div># echo 'NETWORK/iptablesEnable=3Dbool:False' &gt=3B&gt=3B&nbsp=3B/etc/= ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>= Never tried that=2C and not sure it's recommended - if it does work=2C it m= eans that host-deploy will not</div>=0A= <div>update iptables=2C but the engine will think it did. So it's better to= find a way to make the engine not do</div><div>that. Or=2C better yet=2C t= hat you'll explain why you need this and somehow make the engine do what yo= u want...</div>=0A= <span class=3D"ecxHOEnZb"><font color=3D"#888888"><div><span style=3D"font-= size:12pt=3B">--&nbsp=3B</span></div><div>Didi</div><div><br></div></font><= /span></div></div> </div></div>=0A= <br>_______________________________________________<br>=0A= Users mailing list<br>=0A= <a href=3D"mailto:Users@ovirt.org">Users@ovirt.org</a><br>=0A= <a href=3D"http://lists.ovirt.org/mailman/listinfo/users" target=3D"_blank"= <br></blockquote></div><br></div></div> </div></body> </html>= --_64b96cf8-fdd4-4df4-bf3e-459817379ccc_--