On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing since years with engine-config --set IPTablesConfigSiteCustom="blah blah blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain the correct custom rules I added, but when manually checking with iptables -L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled, and that the firewalld service is up and running.
That explains why iptables customization has no effect.
Indeed. IIRC the type of firewall is now set per cluster or something like that, not sure about the details - adding Ondra.
In the engine setup, I see that /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains : OVESETUP_CONFIG/firewallManager=none:None
I'm confused about this setting : when running engine-setup, I'm not sure to understand if answering yes to the question about the firewall will modify the engine, the hosts, or all of them?
Only the engine.
Actually, I'd like my engine to stay with a disabled firewall, but my hosts with an active one.
So you should reply 'No' as you did in 'engine-setup', and handle iptables/firewalld on the engine after it's set up (upgraded), I think from the ui.
Is it true to say that this is not an option and I have to answer yes, enable the firewall on the engine, allowing the OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or iptables), thus allowing the spread of this setup towards the hosts?
No, they are unrelated. Best regards, -- Didi