From claude.durocher at cptaq.gouv.qc.ca Thu Nov 17 18:42:14 2016 Content-Type: multipart/mixed; boundary="===============6266416766697104151==" MIME-Version: 1.0 From: Claude Durocher To: users at ovirt.org Subject: [ovirt-users] Hook to add firewall rules Date: Thu, 17 Nov 2016 18:42:12 -0500 Message-ID: <2408-582e4080-1-4549b880@61832197> --===============6266416766697104151== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable ------=3D_=3D-_OpenGroupware_org_NGMime-9224-1479426132.656558-0------ content-type: text/plain; charset=3Dutf-8 content-length: 176 content-transfer-encoding: quoted-printable I've implemented sucessfully a hook to edit the configuration of some o=3D f my nics on my ovirt hosts. Is there a way to add firewall rules (iptables) with vdsm hooks? =3DC2=3DA0 ------=3D_=3D-_OpenGroupware_org_NGMime-9224-1479426132.656558-0------ content-type: text/html; charset=3Dutf-8 content-length: 210 content-transfer-encoding: quoted-printable I've implemented sucessfully a hook to edit the configuration=3D of some of my nics on my ovirt hosts.

Is there a way to add=3D firewall rules (iptables) with vdsm hooks?
  ------=3D_=3D-_OpenGroupware_org_NGMime-9224-1479426132.656558-0-------- --===============6266416766697104151== Content-Type: multipart/alternative MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" LS0tLS0tPV89LV9PcGVuR3JvdXB3YXJlX29yZ19OR01pbWUtOTIyNC0xNDc5NDI2MTMyLjY1NjU1 OC0wLS0tLS0tCmNvbnRlbnQtdHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD11dGYtOApjb250ZW50 LWxlbmd0aDogMTc2CmNvbnRlbnQtdHJhbnNmZXItZW5jb2Rpbmc6IHF1b3RlZC1wcmludGFibGUK CgpJJ3ZlIGltcGxlbWVudGVkIHN1Y2Vzc2Z1bGx5IGEgaG9vayB0byBlZGl0IHRoZSBjb25maWd1 cmF0aW9uIG9mIHNvbWUgbz0KZiBteSBuaWNzIG9uIG15IG92aXJ0IGhvc3RzLgoKSXMgdGhlcmUg YSB3YXkgdG8gYWRkIGZpcmV3YWxsIHJ1bGVzIChpcHRhYmxlcykgd2l0aCB2ZHNtIGhvb2tzPwo9 QzI9QTAKCi0tLS0tLT1fPS1fT3Blbkdyb3Vwd2FyZV9vcmdfTkdNaW1lLTkyMjQtMTQ3OTQyNjEz Mi42NTY1NTgtMC0tLS0tLQpjb250ZW50LXR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOApj b250ZW50LWxlbmd0aDogMjEwCmNvbnRlbnQtdHJhbnNmZXItZW5jb2Rpbmc6IHF1b3RlZC1wcmlu dGFibGUKCjxodG1sPkkmIzM5O3ZlIGltcGxlbWVudGVkIHN1Y2Vzc2Z1bGx5IGEgaG9vayB0byBl ZGl0IHRoZSBjb25maWd1cmF0aW9uPQogb2Ygc29tZSBvZiBteSBuaWNzIG9uIG15IG92aXJ0IGhv c3RzLjxiciAvPjxiciAvPklzIHRoZXJlIGEgd2F5IHRvIGFkZD0KIGZpcmV3YWxsIHJ1bGVzIChp cHRhYmxlcykgd2l0aCB2ZHNtIGhvb2tzPzxiciAvPiZuYnNwOzwvaHRtbD4KCi0tLS0tLT1fPS1f T3Blbkdyb3Vwd2FyZV9vcmdfTkdNaW1lLTkyMjQtMTQ3OTQyNjEzMi42NTY1NTgtMC0tLS0tLS0t CgoK --===============6266416766697104151==-- From didi at redhat.com Sun Nov 20 02:51:25 2016 Content-Type: multipart/mixed; boundary="===============6015630880773556714==" MIME-Version: 1.0 From: Yedidyah Bar David To: users at ovirt.org Subject: Re: [ovirt-users] Hook to add firewall rules Date: Sun, 20 Nov 2016 09:51:23 +0200 Message-ID: In-Reply-To: 2408-582e4080-1-4549b880@61832197 --===============6015630880773556714== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Fri, Nov 18, 2016 at 1:42 AM, Claude Durocher wrote: > I've implemented sucessfully a hook to edit the configuration of some of = my > nics on my ovirt hosts. > > Is there a way to add firewall rules (iptables) with vdsm hooks? Please search for 'IPTablesConfigSiteCustom'. Best, -- = Didi --===============6015630880773556714==-- From claude.durocher at cptaq.gouv.qc.ca Mon Nov 21 14:45:36 2016 Content-Type: multipart/mixed; boundary="===============4860427016291968830==" MIME-Version: 1.0 From: Claude Durocher To: users at ovirt.org Subject: Re: [ovirt-users] ?==?utf-8?q? Hook to add firewall rules Date: Mon, 21 Nov 2016 14:45:34 -0500 Message-ID: <293b-58334f00-13-383766c0@124871861> In-Reply-To: CAHRwYXvYYUqVnhSR_9=Rtfs0eGetYBNs-1mTZOVpfqiSnjqg1g@mail.gmail.com --===============4860427016291968830== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable ------=3D_=3D-_OpenGroupware_org_NGMime-10555-1479757534.695300-6------ content-type: text/plain; charset=3Dutf-8 content-length: 610 content-transfer-encoding: quoted-printable Ok, i've configured my custom iptable rules with "engine-config --get I=3D PTablesConfigSiteCustom" on the engine. Now, how do I apply this on alr=3D eady deployed nodes? Le Dimanche, Novembre 20, 2016 02:51 EST, Yedidyah Bar David a =3DC3=3DA9crit: =3DC2=3DA0On Fri, Nov 18, 2016 at 1:42 AM, Claude Durocher wrote: > I've implemented sucessfully a hook to edit the configuration of some=3D of my > nics on my ovirt hosts. > > Is there a way to add firewall rules (iptables) with vdsm hooks? Please search for 'IPTablesConfigSiteCustom'. Best, -- Didi =3DC2=3DA0 ------=3D_=3D-_OpenGroupware_org_NGMime-10555-1479757534.695300-6------ content-type: text/html; charset=3Dutf-8 content-length: 797 content-transfer-encoding: quoted-printable Ok, i've configured my custom iptable rules with "engine=3D -config --get IPTablesConfigSiteCustom" on the engine. Now, how do=3D I apply this on already deployed nodes?



Le Dima=3D nche, Novembre 20, 2016 02:51 EST, Yedidyah Bar David <didi(a)redhat.c= =3D om> a écrit:
 
On Fri, Nov 18, 2016 at 1=3D :42 AM, Claude Durocher
<claude.durocher(a)cptaq.gouv.qc.ca> w= =3D rote:
> I've implemented sucessfully a hook to edit the con=3D figuration of some of my
> nics on my ovirt hosts.
>> Is there a way to add firewall rules (iptables) with vdsm hooks=3D ?

Please search for 'IPTablesConfigSiteCustom'. Best=3D ,
--
Didi


  ------=3D_=3D-_OpenGroupware_org_NGMime-10555-1479757534.695300-6-------- --===============4860427016291968830== Content-Type: multipart/alternative MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" LS0tLS0tPV89LV9PcGVuR3JvdXB3YXJlX29yZ19OR01pbWUtMTA1NTUtMTQ3OTc1NzUzNC42OTUz MDAtNi0tLS0tLQpjb250ZW50LXR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9dXRmLTgKY29udGVu dC1sZW5ndGg6IDYxMApjb250ZW50LXRyYW5zZmVyLWVuY29kaW5nOiBxdW90ZWQtcHJpbnRhYmxl CgoKT2ssIGkndmUgY29uZmlndXJlZCBteSBjdXN0b20gaXB0YWJsZSBydWxlcyB3aXRoICJlbmdp bmUtY29uZmlnIC0tZ2V0IEk9ClBUYWJsZXNDb25maWdTaXRlQ3VzdG9tIiBvbiB0aGUgZW5naW5l LiBOb3csIGhvdyBkbyBJIGFwcGx5IHRoaXMgb24gYWxyPQplYWR5IGRlcGxveWVkIG5vZGVzPwoK CgpMZSBEaW1hbmNoZSwgTm92ZW1icmUgMjAsIDIwMTYgMDI6NTEgRVNULCBZZWRpZHlhaCBCYXIg RGF2aWQgPGRpZGlAcmVkaD0KYXQuY29tPiBhID1DMz1BOWNyaXQ6Cj1DMj1BME9uIEZyaSwgTm92 IDE4LCAyMDE2IGF0IDE6NDIgQU0sIENsYXVkZSBEdXJvY2hlcgo8Y2xhdWRlLmR1cm9jaGVyQGNw dGFxLmdvdXYucWMuY2E+IHdyb3RlOgo+IEkndmUgaW1wbGVtZW50ZWQgc3VjZXNzZnVsbHkgYSBo b29rIHRvIGVkaXQgdGhlIGNvbmZpZ3VyYXRpb24gb2Ygc29tZT0KIG9mIG15Cj4gbmljcyBvbiBt eSBvdmlydCBob3N0cy4KPgo+IElzIHRoZXJlIGEgd2F5IHRvIGFkZCBmaXJld2FsbCBydWxlcyAo aXB0YWJsZXMpIHdpdGggdmRzbSBob29rcz8KClBsZWFzZSBzZWFyY2ggZm9yICdJUFRhYmxlc0Nv bmZpZ1NpdGVDdXN0b20nLiBCZXN0LAotLQpEaWRpCgo9QzI9QTAKCi0tLS0tLT1fPS1fT3Blbkdy b3Vwd2FyZV9vcmdfTkdNaW1lLTEwNTU1LTE0Nzk3NTc1MzQuNjk1MzAwLTYtLS0tLS0KY29udGVu dC10eXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgKY29udGVudC1sZW5ndGg6IDc5Nwpjb250 ZW50LXRyYW5zZmVyLWVuY29kaW5nOiBxdW90ZWQtcHJpbnRhYmxlCgo8aHRtbD5PaywgaSYjMzk7 dmUgY29uZmlndXJlZCBteSBjdXN0b20gaXB0YWJsZSBydWxlcyB3aXRoICZxdW90O2VuZ2luZT0K LWNvbmZpZyAtLWdldCBJUFRhYmxlc0NvbmZpZ1NpdGVDdXN0b20mcXVvdDsgb24gdGhlIGVuZ2lu ZS4gTm93LCBob3cgZG89CiBJIGFwcGx5IHRoaXMgb24gYWxyZWFkeSBkZXBsb3llZCBub2Rlcz88 YnIgLz48YnIgLz48YnIgLz48YnIgLz5MZSBEaW1hPQpuY2hlLCBOb3ZlbWJyZSAyMCwgMjAxNiAw Mjo1MSBFU1QsIFllZGlkeWFoIEJhciBEYXZpZCAmbHQ7ZGlkaUByZWRoYXQuYz0Kb20mZ3Q7IGEg JmVhY3V0ZTtjcml0OjxiciAvPiZuYnNwOzxibG9ja3F1b3RlPk9uIEZyaSwgTm92IDE4LCAyMDE2 IGF0IDE9Cjo0MiBBTSwgQ2xhdWRlIER1cm9jaGVyPGJyIC8+Jmx0O2NsYXVkZS5kdXJvY2hlckBj cHRhcS5nb3V2LnFjLmNhJmd0OyB3PQpyb3RlOjxiciAvPiZndDsgSSYjMzk7dmUgaW1wbGVtZW50 ZWQgc3VjZXNzZnVsbHkgYSBob29rIHRvIGVkaXQgdGhlIGNvbj0KZmlndXJhdGlvbiBvZiBzb21l IG9mIG15PGJyIC8+Jmd0OyBuaWNzIG9uIG15IG92aXJ0IGhvc3RzLjxiciAvPiZndDs8YnI9CiAv PiZndDsgSXMgdGhlcmUgYSB3YXkgdG8gYWRkIGZpcmV3YWxsIHJ1bGVzIChpcHRhYmxlcykgd2l0 aCB2ZHNtIGhvb2tzPQo/PGJyIC8+PGJyIC8+UGxlYXNlIHNlYXJjaCBmb3IgJiMzOTtJUFRhYmxl c0NvbmZpZ1NpdGVDdXN0b20mIzM5Oy4gQmVzdD0KLDxiciAvPi0tPGJyIC8+RGlkaTwvYmxvY2tx dW90ZT48YnIgLz48YnIgLz4mbmJzcDs8L2h0bWw+CgotLS0tLS09Xz0tX09wZW5Hcm91cHdhcmVf b3JnX05HTWltZS0xMDU1NS0xNDc5NzU3NTM0LjY5NTMwMC02LS0tLS0tLS0KCgo= --===============4860427016291968830==-- From didi at redhat.com Tue Nov 22 03:56:53 2016 Content-Type: multipart/mixed; boundary="===============8577099078606758043==" MIME-Version: 1.0 From: Yedidyah Bar David To: users at ovirt.org Subject: Re: [ovirt-users] Hook to add firewall rules Date: Tue, 22 Nov 2016 10:56:50 +0200 Message-ID: In-Reply-To: 293b-58334f00-13-383766c0@124871861 --===============8577099078606758043== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Mon, Nov 21, 2016 at 9:45 PM, Claude Durocher wrote: > Ok, i've configured my custom iptable rules with "engine-config --get > IPTablesConfigSiteCustom" on the engine. Now, how do I apply this on alre= ady > deployed nodes? Move to maintenance, reinstall? I do not think there is another way. But I also do not think oVirt will overwrite your conf by any other process, so you can also simply do this manually. Didn't try this myself. > > > > > Le Dimanche, Novembre 20, 2016 02:51 EST, Yedidyah Bar David > a =C3=A9crit: > > > On Fri, Nov 18, 2016 at 1:42 AM, Claude Durocher > wrote: >> I've implemented sucessfully a hook to edit the configuration of some of >> my >> nics on my ovirt hosts. >> >> Is there a way to add firewall rules (iptables) with vdsm hooks? > > Please search for 'IPTablesConfigSiteCustom'. Best, > -- > Didi > > > > -- = Didi --===============8577099078606758043==-- From rstory at tislabs.com Tue Nov 22 14:23:04 2016 Content-Type: multipart/mixed; boundary="===============8503305648236483636==" MIME-Version: 1.0 From: Robert Story To: users at ovirt.org Subject: Re: [ovirt-users] Hook to add firewall rules Date: Tue, 22 Nov 2016 14:22:55 -0500 Message-ID: <20161122142255.77f9b531@ispx.vb.futz.org> In-Reply-To: CAHRwYXuEE-LXLCc_kLJGmMM-kbnNP8KkEyWXkBz4+pBWFY4-pA@mail.gmail.com --===============8503305648236483636== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable --Sig_/+=3DYbNpJkZORJYnjN1s4Qq1M Content-Type: text/plain; charset=3DUS-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 22 Nov 2016 10:56:50 +0200 Yedidyah wrote: YBD> On Mon, Nov 21, 2016 at 9:45 PM, Claude Durocher YBD> wrote: YBD> > Ok, i've configured my custom iptable rules with "engine-config --get YBD> > IPTablesConfigSiteCustom" on the engine. Now, how do I apply this on= =3D already YBD> > deployed nodes? =3D20 YBD>=3D20 YBD> Move to maintenance, reinstall? YBD>=3D20 YBD> I do not think there is another way. But I also do not think oVirt YBD> will overwrite your conf by any other process, so you can also simply YBD> do this manually. Didn't try this myself. I seem to recall the engine-config option being added because engine would overwrite iptables config on every upgrade. Robert --=3D20 Senior Software Engineer @ Parsons --Sig_/+=3DYbNpJkZORJYnjN1s4Qq1M Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlg0mw8ACgkQ7/fVLLY1mnj7WwCeISdIRiEubaFv6N/aM0PXhzDh CkIAn2md1TwhmTThQilu5Js2EZbtZ3B2 =3DVAUp -----END PGP SIGNATURE----- --Sig_/+=3DYbNpJkZORJYnjN1s4Qq1M-- --===============8503305648236483636== Content-Type: multipart/signed MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="attachment.bin" LS1TaWdfLys9WWJOcEprWk9SSlluak4xczRRcTFNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsg Y2hhcnNldD1VUy1BU0NJSQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBxdW90ZWQtcHJpbnRh YmxlCgpPbiBUdWUsIDIyIE5vdiAyMDE2IDEwOjU2OjUwICswMjAwIFllZGlkeWFoIHdyb3RlOgpZ QkQ+IE9uIE1vbiwgTm92IDIxLCAyMDE2IGF0IDk6NDUgUE0sIENsYXVkZSBEdXJvY2hlcgpZQkQ+ IDxjbGF1ZGUuZHVyb2NoZXJAY3B0YXEuZ291di5xYy5jYT4gd3JvdGU6CllCRD4gPiBPaywgaSd2 ZSBjb25maWd1cmVkIG15IGN1c3RvbSBpcHRhYmxlIHJ1bGVzIHdpdGggImVuZ2luZS1jb25maWcg LS1nZXQKWUJEPiA+IElQVGFibGVzQ29uZmlnU2l0ZUN1c3RvbSIgb24gdGhlIGVuZ2luZS4gTm93 LCBob3cgZG8gSSBhcHBseSB0aGlzIG9uPQogYWxyZWFkeQpZQkQ+ID4gZGVwbG95ZWQgbm9kZXM/ ID0yMApZQkQ+PTIwCllCRD4gTW92ZSB0byBtYWludGVuYW5jZSwgcmVpbnN0YWxsPwpZQkQ+PTIw CllCRD4gSSBkbyBub3QgdGhpbmsgdGhlcmUgaXMgYW5vdGhlciB3YXkuIEJ1dCBJIGFsc28gZG8g bm90IHRoaW5rIG9WaXJ0CllCRD4gd2lsbCBvdmVyd3JpdGUgeW91ciBjb25mIGJ5IGFueSBvdGhl ciBwcm9jZXNzLCBzbyB5b3UgY2FuIGFsc28gc2ltcGx5CllCRD4gZG8gdGhpcyBtYW51YWxseS4g RGlkbid0IHRyeSB0aGlzIG15c2VsZi4KCkkgc2VlbSB0byByZWNhbGwgdGhlIGVuZ2luZS1jb25m aWcgb3B0aW9uIGJlaW5nIGFkZGVkIGJlY2F1c2UgZW5naW5lIHdvdWxkCm92ZXJ3cml0ZSBpcHRh YmxlcyBjb25maWcgb24gZXZlcnkgdXBncmFkZS4KCgpSb2JlcnQKCi0tPTIwClNlbmlvciBTb2Z0 d2FyZSBFbmdpbmVlciBAIFBhcnNvbnMKCi0tU2lnXy8rPVliTnBKa1pPUkpZbmpOMXM0UXExTQpD b250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3BncC1zaWduYXR1cmUKQ29udGVudC1EZXNjcmlwdGlv bjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQoKLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0t LS0KVmVyc2lvbjogR251UEcgdjIKCmlFWUVBUkVDQUFZRkFsZzBtdzhBQ2drUTcvZlZMTFkxbW5q N1d3Q2VJU2RJUmlFdWJhRnY2Ti9hTTBQWGh6RGgKQ2tJQW4ybWQxVHdobVRUaFFpbHU1SnMyRVpi dFozQjIKPVZBVXAKLS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tCgotLVNpZ18vKz1ZYk5wSmta T1JKWW5qTjFzNFFxMU0tLQo= --===============8503305648236483636==-- From didi at redhat.com Wed Nov 23 02:13:38 2016 Content-Type: multipart/mixed; boundary="===============3082582324682038679==" MIME-Version: 1.0 From: Yedidyah Bar David To: users at ovirt.org Subject: Re: [ovirt-users] Hook to add firewall rules Date: Wed, 23 Nov 2016 09:13:36 +0200 Message-ID: In-Reply-To: 20161122142255.77f9b531@ispx.vb.futz.org --===============3082582324682038679== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On Tue, Nov 22, 2016 at 9:22 PM, Robert Story wrote: > On Tue, 22 Nov 2016 10:56:50 +0200 Yedidyah wrote: > YBD> On Mon, Nov 21, 2016 at 9:45 PM, Claude Durocher > YBD> wrote: > YBD> > Ok, i've configured my custom iptable rules with "engine-config --= get > YBD> > IPTablesConfigSiteCustom" on the engine. Now, how do I apply this = on already > YBD> > deployed nodes? > YBD> > YBD> Move to maintenance, reinstall? > YBD> > YBD> I do not think there is another way. But I also do not think oVirt > YBD> will overwrite your conf by any other process, so you can also simply > YBD> do this manually. Didn't try this myself. > > I seem to recall the engine-config option being added because engine would > overwrite iptables config on every upgrade. I think you are right, for upgrades done from the engine - not 'yum update'. 'Move to maintenance and reinstall' and 'Upgrade from the engine' are actua= lly almost the exact same thing, from the engine's POV. Thanks for the comment. Best, -- = Didi --===============3082582324682038679==--