Re: [Users] Otopi pre-seeded answers and firewall settings

25 Mar 2014

      --_13c5fae2-306f-4af0-9f11-9bc7ec327d1d_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi Didi=2C
many thanks for your invaluable help!

I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables=
.conf) asap and then I will report back.

By the way: I have a really custom iptables setup (multiple separated netwo=
rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru=
les and then leave them alone (I pre-configure them=2C so the setup procedu=
re won't be impeded in its communication needs anyway AND I will always gua=
rantee the most stringent filtering possible with default deny ecc.).

Many thanks again=2C
Giuseppe

Date: Tue=2C 25 Mar 2014 04:05:33 -0400
From: didi@redhat.com
To: giuseppe.ragusa@hotmail.com
CC: users@ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings

From: "Giuseppe Ragusa" <giuseppe.ragusa@hotmail.com>
To: "Yedidyah Bar David" <didi@redhat.com>
Cc: "Users@ovirt.org" <users@ovirt.org>
Sent: Tuesday=2C March 25=2C 2014 1:53:20 AM
Subject: RE: [Users] Otopi pre-seeded answers and firewall settings

Hi Didi=2C
I found the references to NETWORK/iptablesEnable in my engine logs (/var/lo=
g/ovirt-engine/host-deploy/ovirt-*.log)=2C but it didn't seem to work after=
 all.

Full logs attached.

I resurrected my Engine by rebooting the (still only) host=2C then restarti=
ng ovirt-ha-agent (at startup the agent failed while trying to launch vdsm=
=2C but I found vdsm running and so tried manually...).
OK=2C so it's host-deploy that's doing that.But it's not host-deploy itself=
 - it's the engine that is talking to it=2C asking it to configure iptables=
.I don't know how to make the agent don't do that. I searched a bit the sou=
rces (which I don't know)and didn't find a simple way.
You can=2C however=2C try to override this by:# mkdir -p /etc/ovirt-host-de=
ploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/9=
9-prevent-iptables.conf# echo 'NETWORK/iptablesEnable=3Dbool:False' >> /etc=
/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
Never tried that=2C and not sure it's recommended - if it does work=2C it m=
eans that host-deploy will notupdate iptables=2C but the engine will think =
it did. So it's better to find a way to make the engine not dothat. Or=2C b=
etter yet=2C that you'll explain why you need this and somehow make the eng=
ine do what you want...-- Didi
 		 	   		  =

--_13c5fae2-306f-4af0-9f11-9bc7ec327d1d_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Hi Didi=2C<br>many thanks for yo=
ur invaluable help!<br><br>I'll try your suggestion (/etc/ovirt-host-deploy=
.conf.d/99-prevent-iptables.conf) asap and then I will report back.<br><br>=
By the way: I have a really custom iptables setup (multiple separated netwo=
rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru=
les and then leave them alone (I pre-configure them=2C so the setup procedu=
re won't be impeded in its communication needs anyway AND I will always gua=
rantee the most stringent filtering possible with default deny ecc.).<br><b=
r>Many thanks again=2C<br>Giuseppe<br><br><div><hr id=3D"stopSpelling">Date=
: Tue=2C 25 Mar 2014 04:05:33 -0400<br>From: didi@redhat.com<br>To: giusepp=
e.ragusa@hotmail.com<br>CC: users@ovirt.org<br>Subject: Re: [Users] Otopi p=
re-seeded answers and firewall settings<br><br><div style=3D"font-family:ti=
mes new roman=2C new york=2C times=2C serif=3Bfont-size:12pt=3Bcolor:#00000=
0=3B"><div></div><blockquote style=3D"border-left:2px solid #1010FF=3Bpaddi=
ng-left:5px=3Bcolor:#000=3Bfont-weight:normal=3Bfont-style:normal=3Btext-de=
coration:none=3Bfont-family:Helvetica=2CArial=2Csans-serif=3Bfont-size:12pt=
=3B" data-mce-style=3D"border-left: 2px solid #1010FF=3B margin-left: 5px=
=3B padding-left: 5px=3B color: #000=3B font-weight: normal=3B font-style: =
normal=3B text-decoration: none=3B font-family: Helvetica=2CArial=2Csans-se=
rif=3B font-size: 12pt=3B"><b>From: </b>"Giuseppe Ragusa" <=3Bgiuseppe.ra=
gusa@hotmail.com>=3B<br><b>To: </b>"Yedidyah Bar David" <=3Bdidi@redhat=
.com>=3B<br><b>Cc: </b>"Users@ovirt.org" <=3Busers@ovirt.org>=3B<br><=
b>Sent: </b>Tuesday=2C March 25=2C 2014 1:53:20 AM<br><b>Subject: </b>RE: [=
Users] Otopi pre-seeded answers and firewall settings<br><div><br></div><st=
yle><!--=0A=
.ExternalClass .ecxhmmessage P {=0A=
padding:0px=3B=0A=
}=0A=
=0A=
.ExternalClass body.ecxhmmessage {=0A=
font-size:12pt=3B=0A=
font-family:Calibri=3B=0A=
}=0A=
=0A=
--></style><div dir=3D"ltr">Hi Didi=2C<br>I found the references to NETWORK=
/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-=
*.log)=2C but it didn't seem to work after all.<br><div><br></div>Full logs=
 attached.<br><div><br></div>I resurrected my Engine by rebooting the (stil=
l only) host=2C then restarting ovirt-ha-agent (at startup the agent failed=
 while trying to launch vdsm=2C but I found vdsm running and so tried manua=
lly...).</div></blockquote><div><br></div><div>OK=2C so it's host-deploy th=
at's doing that.</div><div>But it's not host-deploy itself - it's the engin=
e that is talking to it=2C asking it to configure iptables.</div><div>I don=
't know how to make the agent don't do that. I searched a bit the sources (=
which I don't know)</div><div>and didn't find a simple way.</div><div><br><=
/div><div>You can=2C however=2C try to override this by:</div><div># mkdir =
-p /etc/ovirt-host-deploy.conf.d</div><div># echo '[environment:enforce]' &=
gt=3B =3B/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><d=
iv># echo 'NETWORK/iptablesEnable=3Dbool:False' >=3B>=3B =3B/etc/ov=
irt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>Ne=
ver tried that=2C and not sure it's recommended - if it does work=2C it mea=
ns that host-deploy will not</div><div>update iptables=2C but the engine wi=
ll think it did. So it's better to find a way to make the engine not do</di=
v><div>that. Or=2C better yet=2C that you'll explain why you need this and =
somehow make the engine do what you want...</div><div><span style=3D"font-s=
ize:12pt=3B">-- =3B</span></div><div>Didi</div><div><br></div></div></d=
iv> 		 	   		  </div></body>
</html>=

--_13c5fae2-306f-4af0-9f11-9bc7ec327d1d_--