8:56 a.m.
I can add a rule into ipdates such as this
iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT
I can see the addition has succeeded with this
iptables-save > /etc/sysconfig/iptables
But a reboot of the Engine VM (not the Host) doesn't keep the new rule,
and I was expecting that during bootup CentOS would read from
/etc/sysconfig/iptables.
Alas it isn't.
Found a solution.
After reading this
https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-ce...
I installed iptables-services
But once installed I found that iptables -L showed no rules.
thankfully I still had the default hosted-engine rules in
/etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
Then.....
service iptables save
restored the default hosted-engine rules including my rule for 5666.
Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there.
Success!!
To answer your other questions
Did you ask to configure the firewall during engine-setup?
Yes.
Looks like it setup firewalld for me.
Alternatively, it's recommended to use firewalld.
For the
moment I have disabled firewalld and are using iptables....Is
there a reason why firewalld is preferred over iptables?
Kind regards
Andrew
------ Original Message ------
From: "Yedidyah Bar David" <didi(a)redhat.com>
To: "Andrew Dent" <adent(a)ctcroydon.com.au>
Cc: "users" <users(a)ovirt.org>
Sent: 29/05/2017 9:26:23 PM
Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
On Mon, May 29, 2017 at 1:14 PM, Andrew Dent
<adent(a)ctcroydon.com.au>
wrote:
> Hi
>
> I would like to add rules into the iptables of the Hosted Engine VM
>in
> Ovirt.
> I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I
>would
> like to open port 5666
>
> the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
> I have tried using the normal process for iptables (iptables-save
>etc), but
> it seems that the file
> /etc/sysconfig/iptables
> is ignored when the Ovirt Engine VM starts.
What do you mean in "ignored"?
What's the output of 'iptables-save'?
Did you ask to configure the firewall during engine-setup?
>
> How can I add permanent iptables rules into the Engine VM?
On the engine vm (unlike hosts), the only thing that touches iptables
is engine-setup. Before doing that it asks you if you want to configure
the firewall. There aren't currently means to add your custom rules -
either you manage it all by yourself or you let engine-setup do that.
Alternatively, it's recommended to use firewalld. engine-setup can
add to firewalld the stuff it wants, and you still can add your own
stuff.
If I got you wrong and you refer to the hosts (not engine), see also:
https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
Best,
>
> Kind regards
>
>
> Andrew
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
--
Didi
9:27 a.m.
New subject: Ovirt Hosted-Engine VM iptables
On Tue, May 30, 2017 at 8:56 AM, Andrew Dent <adent(a)ctcroydon.com.au> wrote:
I can add a rule into ipdates such as this
iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT
I can see the addition has succeeded with this
iptables-save > /etc/sysconfig/iptables
But a reboot of the Engine VM (not the Host) doesn't keep the new rule, and
I was expecting that during bootup CentOS would read from
/etc/sysconfig/iptables.
Alas it isn't.
Found a solution.
After reading this
https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-ce...
I installed iptables-services
But once installed I found that iptables -L showed no rules.
thankfully I still had the default hosted-engine rules in
/etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
Then.....
service iptables save
restored the default hosted-engine rules including my rule for 5666.
Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there.
Success!!
Glad for that. Indeed a change between el6 and el7 is the addition of
the package iptables-services. For quite a long time, we install this
package during engine-setup [1] if available, but only after we ask
about the firewall - so if it's not installed beforehand engine-setup
won't let you choose iptables.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1224799
To answer your other questions
> Did you ask to configure the firewall during engine-setup?
Yes.
Looks like it setup firewalld for me.
You can check that in the setup logs.
If firewalld was active (up) when you ran engine-setup, and you replied 'Yes'
to 'Configure firewall?', then it automatically chose firewalld, with the
assumption that if it's up, it's very likely what you want. It also emits
a line about this.
> Alternatively, it's recommended to use firewalld.
For the moment I have disabled firewalld and are using iptables....Is there
a reason why firewalld is preferred over iptables?
Main reason from our (as developers) POV is that it's modular - allows
adding/removing services programmatically, without having to parse and
understand /etc/sysconfig/iptables.
Obviously some people also prefer it for other reasons - ease of use,
not having to know all the details for each specific services, etc.
Best,
Kind regards
Andrew
------ Original Message ------
From: "Yedidyah Bar David" <didi(a)redhat.com>
To: "Andrew Dent" <adent(a)ctcroydon.com.au>
Cc: "users" <users(a)ovirt.org>
Sent: 29/05/2017 9:26:23 PM
Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
> On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <adent(a)ctcroydon.com.au>
> wrote:
>>
>> Hi
>>
>> I would like to add rules into the iptables of the Hosted Engine VM in
>> Ovirt.
>> I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I
>> would
>> like to open port 5666
>>
>> the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
>> I have tried using the normal process for iptables (iptables-save etc),
>> but
>> it seems that the file
>> /etc/sysconfig/iptables
>> is ignored when the Ovirt Engine VM starts.
>
>
> What do you mean in "ignored"?
>
> What's the output of 'iptables-save'?
>
> Did you ask to configure the firewall during engine-setup?
>
>>
>> How can I add permanent iptables rules into the Engine VM?
>
>
> On the engine vm (unlike hosts), the only thing that touches iptables
> is engine-setup. Before doing that it asks you if you want to configure
> the firewall. There aren't currently means to add your custom rules -
> either you manage it all by yourself or you let engine-setup do that.
>
> Alternatively, it's recommended to use firewalld. engine-setup can
> add to firewalld the stuff it wants, and you still can add your own
> stuff.
>
> If I got you wrong and you refer to the hosts (not engine), see also:
>
> https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
>
> Best,
>
>>
>> Kind regards
>>
>>
>> Andrew
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
>
> --
> Didi
--
Didi
2731
days inactive
2733
days old
1 comments
2 participants
participants (2)
-
Andrew Dent -
Yedidyah Bar David