Giuseppe,

I should have clarified.  I meant to blacklist the packages only for a short time, while you add the nodes to the oVirt environment.  Once everything was set up, you would remove these restrictions and yum install iptables.  You'd then configure to taste.

Glad to hear of your success with the conf file method, though.

Thanks,
Joshua


On Tue, Mar 25, 2014 at 6:15 PM, Giuseppe Ragusa <giuseppe.ragusa@hotmail.com> wrote:
Hi Joshua,
many thanks for your suggestion which I suppose would work perfectly, but I actually want iptables (CentOS 6.5 here, so no firewalld) rules in place all the time, but only "MY OWN" iptables rules ;>

Regards,
Giuseppe

Date: Tue, 25 Mar 2014 18:04:04 -0400
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings
From: josh@wrale.com
To: giuseppe.ragusa@hotmail.com

Perhaps you could add the iptables and firewalld packages to yum.conf as excludes.  I don't know if this would fail silently, but if so, the engine installer would never know.

Thanks,
Joshua


On Tue, Mar 25, 2014 at 5:49 PM, Giuseppe Ragusa <giuseppe.ragusa@hotmail.com> wrote:
Hi Didi,
many thanks for your invaluable help!

I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I will report back.

By the way: I have a really custom iptables setup (multiple separated networks on hypervisor hosts), so I suppose it's best to hand tune firewall rules and then leave them alone (I pre-configure them, so the setup procedure won't be impeded in its communication needs anyway AND I will always guarantee the most stringent filtering possible with default deny ecc.).

Many thanks again,
Giuseppe

Date: Tue, 25 Mar 2014 04:05:33 -0400
From: didi@redhat.com
To: giuseppe.ragusa@hotmail.com
CC: users@ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings

From: "Giuseppe Ragusa" <giuseppe.ragusa@hotmail.com>
To: "Yedidyah Bar David" <didi@redhat.com>
Cc: "Users@ovirt.org" <users@ovirt.org>
Sent: Tuesday, March 25, 2014 1:53:20 AM
Subject: RE: [Users] Otopi pre-seeded answers and firewall settings

Hi Didi,
I found the references to NETWORK/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work after all.

Full logs attached.

I resurrected my Engine by rebooting the (still only) host, then restarting ovirt-ha-agent (at startup the agent failed while trying to launch vdsm, but I found vdsm running and so tried manually...).

OK, so it's host-deploy that's doing that.
But it's not host-deploy itself - it's the engine that is talking to it, asking it to configure iptables.
I don't know how to make the agent don't do that. I searched a bit the sources (which I don't know)
and didn't find a simple way.

You can, however, try to override this by:
# mkdir -p /etc/ovirt-host-deploy.conf.d
# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
# echo 'NETWORK/iptablesEnable=bool:False' >> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf

Never tried that, and not sure it's recommended - if it does work, it means that host-deploy will not
update iptables, but the engine will think it did. So it's better to find a way to make the engine not do
that. Or, better yet, that you'll explain why you need this and somehow make the engine do what you want...
-- 
Didi


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users