On Tue, Jan 9, 2018 at 2:25 PM, Peter Hudec <phudec@cnc.sk> wrote:
It's not a bug as I'm digging.

In logs I found

2018-01-09 08:23:22,421+0100 DEBUG otopi.context
context.dumpEnvironment:831 ENV NETWORK/firewalldEnable=bool:'False'
2018-01-09 08:23:22,422+0100 DEBUG otopi.context
context.dumpEnvironment:831 ENV NETWORK/iptablesEnable=bool:'True'

So how to disable iptables and enable firewalld ?

​Hi,

firewall type is a cluster level option. Please go to Clusters, edit selected cluster and change Firewall type to firewalld. After that you need to execute Reinstall on all hosts​ in the cluster to switch from iptables to firewalld on them.

Btw, I assume this is upgraded cluster, so please make sure that VDSM 4.20 (from oVirt 4.2) is installed on all hosts before making this change.

Thanks

Martin


        Peter

On 09/01/2018 13:47, Yedidyah Bar David wrote:
> (Adding Ondra for the firewalld stuff. But I think it's probably
> easier to debug if you open a bug and attach logs there).
>
> On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <phudec@cnc.sk
> <mailto:phudec@cnc.sk>> wrote:
>
>     If I run host reinstall with custom firewall rules in
>     /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml the task will
>     fails due the firewalld is not running.
>
>     The reinstall task will disable firewalld and enable iptables-services.
>     I'm little bit confused ;(
>
>     ---
>     - name: Enable additional port on firewalld
>       firewalld:
>         port: "10050/tcp"
>         permanent: yes
>         immediate: yes
>         state: enabled
>
>
>     2018-01-09 13:27:30,103 p=13550 u=ovirt |  included:
>     /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml for
>     dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
>     2018-01-09 13:27:30,134 p=13550 u=ovirt |  TASK [Enable additional port
>     on firewalld] *************************************
>     2018-01-09 13:27:32,089 p=13550 u=ovirt |  fatal: [dipovirt01.cnc.sk
>     <http://dipovirt01.cnc.sk>]:
>     FAILED! => {"changed": false, "module_stderr": "Shared connection to
>     dipovirt01.cnc.sk <http://dipovirt01.cnc.sk> closed.\r\n",
>     "module_stdout": "Traceback (most recent
>     call last):\r\n  File
>     \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 936, in
>     <module>\r\n    main()\r\n  File
>     \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 788, in
>     main\r\n    module.fail(msg='firewall is not currently running, unable
>     to perform immediate actions without a running firewall
>     daemon')\r\nAttributeError: 'AnsibleModule' object has no attribute
>     'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}
>     2018-01-09 13:27:32,095 p=13550 u=ovirt |  PLAY RECAP
>     *********************************************************************
>
>
>     After reinstalation the status of firewalld is
>     [PROD] root@dipovirt01.cnc.sk <mailto:root@dipovirt01.cnc.sk>:
>     /var/log/vdsm # systemctl status firewalld
>     ● firewalld.service - firewalld - dynamic firewall daemon
>        Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
>     vendor preset: enabled)
>        Active: inactive (dead)
>          Docs: man:firewalld(1)
>
>
>     So how could I switch to firewalld? package iptables-service could not
>     be removed due the dependencies.
>
>             Peter
>
>     On 09/01/2018 09:35, Yedidyah Bar David wrote:
>     >
>     >     1) firewalld
>     >     after upgrade the hot server, the i needed to stop firewalld. It seems,
>     >     that, the rules are not generated correctly. The engine was not able to
>     >     connect to the host. How do I could fix it?
>     >
>     >
>     > Please check/share relevant files from /var/log/ovirt-engine/ansible/
>     > and /var/log/ovirt-engine/host-deploy/ . Or perhaps file a bug and
>     > attach them there.
>
>
>     --
>     *Peter Hudec*
>     Infraštruktúrny architekt
>     phudec@cnc.sk <mailto:phudec@cnc.sk> <mailto:phudec@cnc.sk
>     <mailto:phudec@cnc.sk>>
>
>     *CNC, a.s.*
>     Borská 6, 841 04 Bratislava
>     Recepcia: +421 2  35 000 100 <tel:%2B421%202%C2%A0%2035%20000%20100>
>
>     Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%20203>
>     *www.cnc.sk <http://www.cnc.sk>* <http:///www.cnc.sk
>     <http://www.cnc.sk>>
>
>
>
>
> --
> Didi


--
*Peter Hudec*
Infraštruktúrny architekt
phudec@cnc.sk <mailto:phudec@cnc.sk>

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



--
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.