Giuseppe, et. al I gave up on my six-server hosted engine install, partly for this reason. In addition to this problem, I found that I couldn't use a bridge of my own naming. Then, trying to associate interfaces with bridges in the web interface, my hand-tuned bridges were fatally clobbered. Like, the files I wrote by hand in /etc/sysconfig/ifcfg-*, bridges, and interfaces (some with VLANs) alike. And other things... like the Westmere vs. Ivy Bridge thing. Anyway, I think what's happening to your install is that iptables on the host is getting clobbered by the automatic "install" that happens when the hosted-engine setup script finally contacts the engine the for the first time. I'm not sure how to keep this from happening, but it's a place to start. And I think it's the reason your setting False didn't help. By the way, it took a two hour test for me to learn that even removing the /etc/sysconfig/iptables file AND stopping AND disabling iptables via systemctl on both host and engine did nothing to combat this behavior. Back when I set up 3.0, I saw similar behavior. At that time though, the iptables thing wasn't fatal. I observed here that this overwriting and enabling/starting of iptables causes the very lest part of the hosted-engine setup script to fail miserably. As a result of the engine not being able to contact the host at the end of its "install" phase, the H/A configuration is never done. This is my theory, anyway. I think oVirt should leave the firewall _completely_ alone and just document what ports should be open. I don't think we need that special line at the bottom of /etc/sysconfig/iptables oVirt puts in there. I'll stop rambling now. :-) I like oVirt, but getting so far into this that I have a have two hour turnaround every time I want to test a minor tweak is just too much. I think this will get better in time, I hope. At that time, maybe I'll try again. Here's what libvirt has to say about iptables vs. bridges: """ The final step is to disable netfilter on the bridge: # cat >> /etc/sysctl.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 EOF # sysctl -p /etc/sysctl.conf It is recommended to do this for performance and security reasons. See Fedora bug #512206 <https://bugzilla.redhat.com/512206>. Alternatively you can configure iptables to allow all traffic to be forwarded across the bridge: # echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > /etc/sysconfig/iptables-forward-bridged # lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged # service libvirtd reload """ source: http://wiki.libvirt.org/page/Networking#Creating_network_initscripts You might be interested to know that you can pre-populate vm.conf.in in /usr/share, before the install. Here was mine: vmId=@VM_UUID@ memSize=@MEM_SIZE@ display=@CONSOLE_TYPE@ devices={index:2,iface:ide,address:{ controller:0, target:0,unit:0, bus:1, type:drive},specParams:{},readonly:true,deviceId:@CDROM_UUID@,path:@CDROM@,device:cdrom,shared:false,type:disk@BOOT_CDROM@} devices={index:0,iface:virtio,format:raw,poolID:@SP_UUID@,volumeID:@VOL_UUID@,imageID:@IMG_UUID@,specParams:{},readonly:false,domainID:@SD_UUID@,optional:false,deviceId:@IMG_UUID@,address:{bus:0x00, slot:0x06, domain:0x0000, type:pci, function:0x0},device:disk,shared:exclusive,propagateErrors:off,type:disk@BOOT_DISK@} devices={device:scsi,model:virtio-scsi,type:controller} devices={device:console,specParams:{},type:console,deviceId:@CONSOLE_UUID@,alias:console0} vmName=@NAME@ spiceSecureChannels=smain,sdisplay,sinputs,scursor,splayback,srecord,ssmartcard,susbredir smp=@VCPUS@ cpuType=@CPU_TYPE@ emulatedMachine=@EMULATED_MACHINE@ devices={nicModel:pv,macAddr:00:16:3e:3d:78:10,linkActive:true,network:brbaseboard,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf10,address:{bus:0x01, slot:0x01, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface} devices={nicModel:pv,macAddr:@MAC_ADDR@,linkActive:true,network:@BRIDGE@,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:@NIC_UUID@,address:{bus:0x01, slot:0x02, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface@BOOT_PXE@} devices={nicModel:pv,macAddr:00:16:3e:3d:78:30,linkActive:true,network:brstorage,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf30,address:{bus:0x01, slot:0x03, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface} devices={nicModel:pv,macAddr:00:16:3e:3d:78:40,linkActive:true,network:brcompute,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf40,address:{bus:0x01, slot:0x04, domain:0x0000, type:pci, function:0x0},device:bridge,type:interface} devices={nicModel:pv,macAddr:00:16:3e:3d:78:00,linkActive:true,network:brpublic,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf00,address:{bus:0x01, slot:0x5, domain:0x0000, type:pci,function:0x0},device:bridge,type:interface} Here's my answers file for the hosted-engine script (This was a version where I was testing manual selection of iptables=false): [environment:default] OVEHOSTED_NETWORK/bridgeIf=str:p1p1 OVEHOSTED_NETWORK/bridgeName=str:brinternal OVEHOSTED_NETWORK/fqdn=str:ovirt-engine-n1.redacted.com OVEHOSTED_NETWORK/gateway=str:55.55.55.1 OVEHOSTED_NOTIF/destEmail=str:root@localhost OVEHOSTED_NOTIF/smtpPort=str:25 OVEHOSTED_NOTIF/smtpServer=str:localhost OVEHOSTED_NOTIF/sourceEmail=str:root@localhost OVEHOSTED_STORAGE/connectionUUID=str:0f639e4f-8b4e-4c97-aa34-79e71ccc615a OVEHOSTED_STORAGE/domainType=str:nfs3 OVEHOSTED_STORAGE/imgSizeGB=str:64 OVEHOSTED_STORAGE/imgUUID=str:63121632-e3b6-42c1-829d-8ebc37a6e6a6 OVEHOSTED_STORAGE/sdUUID=str:4de7efd5-39fa-46c1-9116-53fd34d13630 OVEHOSTED_STORAGE/spUUID=str:0afa6614-c6d2-4390-b2e8-8efdf19a7e2b OVEHOSTED_STORAGE/storageDatacenterName=str:dc_ssd-vol-ovirt-engine-n001 OVEHOSTED_STORAGE/storageDomainConnection=str:10.30.3.9:/ssd-vol-ovirt-engine-n001 OVEHOSTED_STORAGE/storageDomainName=str:sd_ssd-vol-ovirt-engine-n001 OVEHOSTED_STORAGE/volUUID=str:7d512edc-d939-4abe-bfb3-c3828fad7b3c OVEHOSTED_VDSM/caSubject=str:/C=EN/L=Test/O=Test/CN=TestCA OVEHOSTED_VDSM/consoleType=str:vnc OVEHOSTED_VDSM/cpu=str:model_Westmere OVEHOSTED_VDSM/pkiSubject=str:/C=EN/L=Test/O=Test/CN=Test OVEHOSTED_VDSM/spicePkiSubject=str:C=EN, L=Test, O=Test, CN=Test OVEHOSTED_VM/cdromUUID=str:f68ce9dc-51a7-43d7-aff3-5c57f08c5ff1 OVEHOSTED_VM/consoleUUID=str:01667bb2-cc81-4e09-b751-af356ae44136 OVEHOSTED_VM/emulatedMachine=str:pc OVEHOSTED_VM/nicUUID=str:ab3f9ae9-1d1b-432e-997d-f3458f89cf20 OVEHOSTED_VM/ovfArchive=none:None OVEHOSTED_VM/vmBoot=str:cdrom OVEHOSTED_VM/vmCDRom=str:/opt/iso/Fedora-19-x86_64-DVD.iso OVEHOSTED_VM/vmMACAddr=str:00:16:3e:3d:78:20 OVEHOSTED_VM/vmMemSizeMB=str:8192 OVEHOSTED_VM/vmUUID=str:ad0a46d7-3974-4511-a341-7a6def000cbb OVEHOSTED_VM/vmVCpus=str:2 Thanks, Joshua On Sun, Mar 23, 2014 at 4:44 PM, Giuseppe Ragusa < giuseppe.ragusa@hotmail.com> wrote:
Hi all, I'm trying to automate as much as possible of ovirt-hosted-engine-setup and engine-setup by means of otopi answer files passed in using "--config-append=filename.conf".
I succeded in forcing engine-setup to leave my iptables settings alone with:
OVESETUP_CONFIG/firewallManager=str:iptables OVESETUP_CONFIG/updateFirewall=bool:False
but ovirt-hosted-engine-setup still modified my iptables settings even with the following options:
OVEHOSTED_NETWORK/firewallManager=str:iptables OVEHOSTED_NETWORK/iptablesEnable=bool:False
Maybe I used the wrong option (deduced by looking inside source code).
Does anybody have any hint/suggestion?
Many thanks in advance, Giuseppe
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users