(Adding Ondra for the firewalld stuff. But I think it's probably
easier to debug if you open a bug and attach logs there).

On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <phudec@cnc.sk> wrote:
If I run host reinstall with custom firewall rules in
/etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml the task will
fails due the firewalld is not running.

The reinstall task will disable firewalld and enable iptables-services.
I'm little bit confused ;(

---
- name: Enable additional port on firewalld
  firewalld:
    port: "10050/tcp"
    permanent: yes
    immediate: yes
    state: enabled


2018-01-09 13:27:30,103 p=13550 u=ovirt |  included:
/etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml for
dipovirt01.cnc.sk
2018-01-09 13:27:30,134 p=13550 u=ovirt |  TASK [Enable additional port
on firewalld] *************************************
2018-01-09 13:27:32,089 p=13550 u=ovirt |  fatal: [dipovirt01.cnc.sk]:
FAILED! => {"changed": false, "module_stderr": "Shared connection to
dipovirt01.cnc.sk closed.\r\n", "module_stdout": "Traceback (most recent
call last):\r\n  File
\"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 936, in
<module>\r\n    main()\r\n  File
\"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 788, in
main\r\n    module.fail(msg='firewall is not currently running, unable
to perform immediate actions without a running firewall
daemon')\r\nAttributeError: 'AnsibleModule' object has no attribute
'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}
2018-01-09 13:27:32,095 p=13550 u=ovirt |  PLAY RECAP
*********************************************************************


After reinstalation the status of firewalld is
[PROD] root@dipovirt01.cnc.sk: /var/log/vdsm # systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)


So how could I switch to firewalld? package iptables-service could not
be removed due the dependencies.

        Peter

On 09/01/2018 09:35, Yedidyah Bar David wrote:
>
>     1) firewalld
>     after upgrade the hot server, the i needed to stop firewalld. It seems,
>     that, the rules are not generated correctly. The engine was not able to
>     connect to the host. How do I could fix it?
>
>
> Please check/share relevant files from /var/log/ovirt-engine/ansible/
> and /var/log/ovirt-engine/host-deploy/ . Or perhaps file a bug and
> attach them there.


--
*Peter Hudec*
Infraštruktúrny architekt
phudec@cnc.sk <mailto:phudec@cnc.sk>

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>




--
Didi