4:49 p.m.
--_13c5fae2-306f-4af0-9f11-9bc7ec327d1d_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Didi=2C
many thanks for your invaluable help!
I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables=
.conf) asap and then I will report back.
By the way: I have a really custom iptables setup (multiple separated netwo=
rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru=
les and then leave them alone (I pre-configure them=2C so the setup procedu=
re won't be impeded in its communication needs anyway AND I will always gua=
rantee the most stringent filtering possible with default deny ecc.).
Many thanks again=2C
Giuseppe
Date: Tue=2C 25 Mar 2014 04:05:33 -0400
From: didi(a)redhat.com
To: giuseppe.ragusa(a)hotmail.com
CC: users(a)ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings
From: "Giuseppe Ragusa" <giuseppe.ragusa(a)hotmail.com>
To: "Yedidyah Bar David" <didi(a)redhat.com>
Cc: "Users(a)ovirt.org" <users(a)ovirt.org>
Sent: Tuesday=2C March 25=2C 2014 1:53:20 AM
Subject: RE: [Users] Otopi pre-seeded answers and firewall settings
Hi Didi=2C
I found the references to NETWORK/iptablesEnable in my engine logs (/var/lo=
g/ovirt-engine/host-deploy/ovirt-*.log)=2C but it didn't seem to work after=
all.
Full logs attached.
I resurrected my Engine by rebooting the (still only) host=2C then restarti=
ng ovirt-ha-agent (at startup the agent failed while trying to launch vdsm=
=2C but I found vdsm running and so tried manually...).
OK=2C so it's host-deploy that's doing that.But it's not host-deploy itself=
- it's the engine that is talking to it=2C asking it to configure iptables=
.I don't know how to make the agent don't do that. I searched a bit the sou=
rces (which I don't know)and didn't find a simple way.
You can=2C however=2C try to override this by:# mkdir -p /etc/ovirt-host-de=
ploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/9=
9-prevent-iptables.conf# echo 'NETWORK/iptablesEnable=3Dbool:False' >>
/etc=
/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
Never tried that=2C and not sure it's recommended - if it does work=2C it m=
eans that host-deploy will notupdate iptables=2C but the engine will think =
it did. So it's better to find a way to make the engine not dothat. Or=2C b=
etter yet=2C that you'll explain why you need this and somehow make the eng=
ine do what you want...-- Didi
=
--_13c5fae2-306f-4af0-9f11-9bc7ec327d1d_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'>Hi
Didi=2C<br>many thanks for yo=
ur invaluable help!<br><br>I'll try your suggestion
(/etc/ovirt-host-deploy=
.conf.d/99-prevent-iptables.conf) asap and then I will report back.<br><br>=
By the way: I have a really custom iptables setup (multiple separated netwo=
rks on hypervisor hosts)=2C so I suppose it's best to hand tune firewall ru=
les and then leave them alone (I pre-configure them=2C so the setup procedu=
re won't be impeded in its communication needs anyway AND I will always gua=
rantee the most stringent filtering possible with default deny ecc.).<br><b=
r>Many thanks again=2C<br>Giuseppe<br><br><div><hr
id=3D"stopSpelling">Date=
: Tue=2C 25 Mar 2014 04:05:33 -0400<br>From: didi(a)redhat.com<br>To: giusepp=
e.ragusa(a)hotmail.com<br>CC: users(a)ovirt.org<br>Subject: Re: [Users] Otopi p=
re-seeded answers and firewall settings<br><br><div
style=3D"font-family:ti=
mes new roman=2C new york=2C times=2C serif=3Bfont-size:12pt=3Bcolor:#00000=
0=3B"><div></div><blockquote style=3D"border-left:2px solid
#1010FF=3Bpaddi=
ng-left:5px=3Bcolor:#000=3Bfont-weight:normal=3Bfont-style:normal=3Btext-de=
coration:none=3Bfont-family:Helvetica=2CArial=2Csans-serif=3Bfont-size:12pt=
=3B" data-mce-style=3D"border-left: 2px solid #1010FF=3B margin-left: 5px=
=3B padding-left: 5px=3B color: #000=3B font-weight: normal=3B font-style: =
normal=3B text-decoration: none=3B font-family: Helvetica=2CArial=2Csans-se=
rif=3B font-size: 12pt=3B"><b>From: </b>"Giuseppe Ragusa"
<=3Bgiuseppe.ra=
gusa(a)hotmail.com&gt=3B<br><b>To: </b>"Yedidyah Bar David"
<=3Bdidi@redhat=
.com>=3B<br><b>Cc: </b>"Users(a)ovirt.org"
&lt=3Busers(a)ovirt.org&gt=3B<br><=
b>Sent: </b>Tuesday=2C March 25=2C 2014 1:53:20 AM<br><b>Subject:
</b>RE: [=
Users] Otopi pre-seeded answers and firewall
settings<br><div><br></div><st=
yle><!--=0A=
.ExternalClass .ecxhmmessage P {=0A=
padding:0px=3B=0A=
}=0A=
=0A=
.ExternalClass body.ecxhmmessage {=0A=
font-size:12pt=3B=0A=
font-family:Calibri=3B=0A=
}=0A=
=0A=
--></style><div dir=3D"ltr">Hi Didi=2C<br>I found the
references to NETWORK=
/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-=
*.log)=2C but it didn't seem to work after
all.<br><div><br></div>Full logs=
attached.<br><div><br></div>I resurrected my Engine by rebooting
the (stil=
l only) host=2C then restarting ovirt-ha-agent (at startup the agent failed=
while trying to launch vdsm=2C but I found vdsm running and so tried manua=
lly...).</div></blockquote><div><br></div><div>OK=2C
so it's host-deploy th=
at's doing that.</div><div>But it's not host-deploy itself - it's
the engin=
e that is talking to it=2C asking it to configure iptables.</div><div>I don=
't know how to make the agent don't do that. I searched a bit the sources (=
which I don't know)</div><div>and didn't find a simple
way.</div><div><br><=
/div><div>You can=2C however=2C try to override this by:</div><div>#
mkdir =
-p /etc/ovirt-host-deploy.conf.d</div><div># echo
'[environment:enforce]' &=
gt=3B =3B/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf</div><d=
iv># echo 'NETWORK/iptablesEnable=3Dbool:False'
>=3B>=3B =3B/etc/ov=
irt-host-deploy.conf.d/99-prevent-iptables.conf</div><div><br></div><div>Ne=
ver tried that=2C and not sure it's recommended - if it does work=2C it mea=
ns that host-deploy will not</div><div>update iptables=2C but the engine wi=
ll think it did. So it's better to find a way to make the engine not do</di=
v><div>that. Or=2C better yet=2C that you'll explain why you need this and =
somehow make the engine do what you want...</div><div><span
style=3D"font-s=
ize:12pt=3B">-- =3B</span></div><div>Didi</div><div><br></div></div></d=
iv> </div></body>
</html>=
--_13c5fae2-306f-4af0-9f11-9bc7ec327d1d_--