Re: [Users] Otopi pre-seeded answers and firewall settings

25 Mar 2014

      ...
I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptable=
s.conf) asap and then I will report back.<br><br>By the way: I have a reall=
y custom iptables setup (multiple separated networks on hypervisor hosts)=
=2C so I suppose it's best to hand tune firewall rules and then leave them =
alone (I pre-configure them=2C so the setup procedure won't be impeded in i=
ts communication needs anyway AND I will always guarantee the most stringen=
t filtering possible with default deny ecc.).<br><br>Many thanks again=2C<b=
r>Giuseppe<br><br><div><hr id=3D"ecxstopSpelling">Date: Tue=2C 25 Mar 2014 =
04:05:33 -0400<br>From: didi@redhat.com<br>To: giuseppe.ragusa@hotmail.com<=
br>CC: users@ovirt.org<br>Subject: Re: [Users] Otopi pre-seeded answers and=
 firewall settings<br><br><div style=3D"font-family:times new roman=2C new =
york=2C times=2C serif=3Bfont-size:12pt=3Bcolor:#000000=3B"><div></div><blo=
ckquote style=3D"border-left:2px solid #1010FF=3Bpadding-left:5px=3Bcolor:#=
000=3Bfont-weight:normal=3Bfont-style:normal=3Btext-decoration:none=3Bfont-=
family:Helvetica=2CArial=2Csans-serif=3Bfont-size:12pt=3B" data-mce-style=
=3D"border-left: 2px solid #1010FF=3B margin-left: 5px=3B padding-left: 5px=
=3B color: #000=3B font-weight: normal=3B font-style: normal=3B text-decora=
tion: none=3B font-family: Helvetica=2CArial=2Csans-serif=3B font-size: 12p=
t=3B"><b>From: </b>"Giuseppe Ragusa" <=3Bgiuseppe.ragusa@hotmail.com>=
=3B<br><b>To: </b>"Yedidyah Bar David" <=3Bdidi@redhat.com>=3B<br><b>Cc=
: </b>"Users@ovirt.org" <=3Busers@ovirt.org>=3B<br><b>Sent: </b>Tuesday=
=2C March 25=2C 2014 1:53:20 AM<br><b>Subject: </b>RE: [Users] Otopi pre-se=
eded answers and firewall settings<br><div><br></div><style><!--=0A=
.ExternalClass .ecxhmmessage P {=0A=
--_b1996bf5-362a-4f3c-96da-1f6bf59776c1_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi Didi=2C
I can confirm that using both an ovhe-answers.conf directive:
OVEHOSTED_NETWORK/firewallManager=3Dstr:nonexistent

and an /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf with:
[environment:enforce]
NETWORK/iptablesEnable=3Dbool:False

results in "ovirt-hosted-engine-setup --config-append=3Dovhe-answers.conf" =
leaving iptables rules untouched while adding the second hypervisor host to=
 an already deployed self-hosted-engine with one physical host.

Many thanks again=2C
Giuseppe

PS: is there any difference in using "ovirt-hosted-engine-setup" vs. "hoste=
d-engine --deploy" ?

From: giuseppe.ragusa@hotmail.com
To: didi@redhat.com
Date: Tue=2C 25 Mar 2014 22:49:36 +0100
CC: users@ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings

=0A=
=0A=
=0A=
Hi Didi=2C
many thanks for your invaluable help!

I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables=
.conf) asap and then I will report back.

By the way: I have a really custom iptables setup (multiple separated netwo=
rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru=
les and then leave them alone (I pre-configure them=2C so the setup procedu=
re won't be impeded in its communication needs anyway AND I will always gua=
rantee the most stringent filtering possible with default deny ecc.).

Many thanks again=2C
Giuseppe

Date: Tue=2C 25 Mar 2014 04:05:33 -0400
From: didi@redhat.com
To: giuseppe.ragusa@hotmail.com
CC: users@ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings

From: "Giuseppe Ragusa" <giuseppe.ragusa@hotmail.com>
To: "Yedidyah Bar David" <didi@redhat.com>
Cc: "Users@ovirt.org" <users@ovirt.org>
Sent: Tuesday=2C March 25=2C 2014 1:53:20 AM
Subject: RE: [Users] Otopi pre-seeded answers and firewall settings

Hi Didi=2C
I found the references to NETWORK/iptablesEnable in my engine logs (/var/lo=
g/ovirt-engine/host-deploy/ovirt-*.log)=2C but it didn't seem to work after=
 all.

Full logs attached.

I resurrected my Engine by rebooting the (still only) host=2C then restarti=
ng ovirt-ha-agent (at startup the agent failed while trying to launch vdsm=
=2C but I found vdsm running and so tried manually...).
OK=2C so it's host-deploy that's doing that.But it's not host-deploy itself=
 - it's the engine that is talking to it=2C asking it to configure iptables=
.I don't know how to make the agent don't do that. I searched a bit the sou=
rces (which I don't know)and didn't find a simple way.
You can=2C however=2C try to override this by:# mkdir -p /etc/ovirt-host-de=
ploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/9=
9-prevent-iptables.conf# echo 'NETWORK/iptablesEnable=3Dbool:False' >> /etc=
/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
Never tried that=2C and not sure it's recommended - if it does work=2C it m=
eans that host-deploy will notupdate iptables=2C but the engine will think =
it did. So it's better to find a way to make the engine not dothat. Or=2C b=
etter yet=2C that you'll explain why you need this and somehow make the eng=
ine do what you want...-- Didi
 		 	   		  =0A=

_______________________________________________=0A=
Users mailing list=0A=
Users@ovirt.org=0A=
http://lists.ovirt.org/mailman/listinfo/users 		 	   		  =

--_b1996bf5-362a-4f3c-96da-1f6bf59776c1_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Hi Didi=2C<br>I can confirm that=
 using both an ovhe-answers.conf directive:<br>OVEHOSTED_NETWORK/firewallMa=
nager=3Dstr:nonexistent<br><br>and an /etc/ovirt-host-deploy.conf.d/99-prev=
ent-iptables.conf with:<br>[environment:enforce]<br>NETWORK/iptablesEnable=
=3Dbool:False<br><br>results in "ovirt-hosted-engine-setup --config-append=
=3Dovhe-answers.conf" leaving iptables rules untouched while adding the sec=
ond hypervisor host to an already deployed self-hosted-engine with one phys=
ical host.<br><br>Many thanks again=2C<br>Giuseppe<br><br>PS: is there any =
difference in using "ovirt-hosted-engine-setup" vs. "hosted-engine --deploy=
" ?<br><br><div><hr id=3D"stopSpelling">From: giuseppe.ragusa@hotmail.com<b=
r>To: didi@redhat.com<br>Date: Tue=2C 25 Mar 2014 22:49:36 +0100<br>CC: use=
rs@ovirt.org<br>Subject: Re: [Users] Otopi pre-seeded answers and firewall =
settings<br><br>=0A=
=0A=
<style><!--=0A=
.ExternalClass .ecxhmmessage P {=0A=
padding:0px=3B=0A=
}=0A=
=0A=
.ExternalClass body.ecxhmmessage {=0A=
font-size:12pt=3B=0A=
font-family:Calibri=3B=0A=
}=0A=
=0A=
--></style>=0A=
<div dir=3D"ltr">Hi Didi=2C<br>many thanks for your invaluable help!<br><br=
padding:0px=3B=0A=
}=0A=
=0A=
.ExternalClass body.ecxhmmessage {=0A=
font-size:12pt=3B=0A=
font-family:Calibri=3B=0A=
}=0A=
=0A=
=0A=
--></style><div dir=3D"ltr">Hi Didi=2C<br>I found the references to NETWORK=
/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-=
*.log)=2C but it didn't seem to work after all.<br><div><br></div>Full logs=
 attached.<br><div><br></div>I resurrected my Engine by rebooting the (stil=
l only) host=2C then restarting ovirt-ha-agent (at startup the agent failed=
 while trying to launch vdsm=2C but I found vdsm running and so tried manua=
lly...).</div></blockquote><div><br></div><div>OK=2C so it's host-deploy th=
at's doing that.</div><div>But it's not host-deploy itself - it's the engin=
e that is talking to it=2C asking it to configure iptables.</div><div>I don=
't know how to make the agent don't do that. I searched a bit the sources (=
which I don't know)</div><div>and didn't find a simple way.</div><div><br><=
/div><div>You can=2C however=2C try to override this by:</div><div># mkdir =
-p /etc/ovirt-host-deploy.conf.d</div><div># echo '[environment:enforce]' &=
gt=3B =3B/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><d=
iv># echo 'NETWORK/iptablesEnable=3Dbool:False' >=3B>=3B =3B/etc/ov=
irt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>Ne=
ver tried that=2C and not sure it's recommended - if it does work=2C it mea=
ns that host-deploy will not</div><div>update iptables=2C but the engine wi=
ll think it did. So it's better to find a way to make the engine not do</di=
v><div>that. Or=2C better yet=2C that you'll explain why you need this and =
somehow make the engine do what you want...</div><div><span style=3D"font-s=
ize:12pt=3B">-- =3B</span></div><div>Didi</div><div><br></div></div></d=
iv> 		 	   		  </div>=0A=
<br>_______________________________________________=0A=
Users mailing list=0A=
Users@ovirt.org=0A=
http://lists.ovirt.org/mailman/listinfo/users</div> 		 	   		  </div></body=
...
</html>=

--_b1996bf5-362a-4f3c-96da-1f6bf59776c1_--