It's not a bug as I'm digging.
In logs I found
2018-01-09 08:23:22,421+0100 DEBUG otopi.context
context.dumpEnvironment:831 ENV NETWORK/firewalldEnable=bool:'False'
2018-01-09 08:23:22,422+0100 DEBUG otopi.context
context.dumpEnvironment:831 ENV NETWORK/iptablesEnable=bool:'True'
So how to disable iptables and enable firewalld ?
Peter
On 09/01/2018 13:47, Yedidyah Bar David wrote:
> (Adding Ondra for the firewalld stuff. But I think it's probably
> easier to debug if you open a bug and attach logs there).
>
> On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <phudec@cnc.sk
> <mailto:phudec@cnc.sk>> wrote:
>
> If I run host reinstall with custom firewall rules in
> /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks. yml the task will
> fails due the firewalld is not running.
>
> The reinstall task will disable firewalld and enable iptables-services.
> I'm little bit confused ;(
>
> ---
> - name: Enable additional port on firewalld
> firewalld:
> port: "10050/tcp"
> permanent: yes
> immediate: yes
> state: enabled
>
>
> 2018-01-09 13:27:30,103 p=13550 u=ovirt | included:
> /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks. yml for
> dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
> 2018-01-09 13:27:30,134 p=13550 u=ovirt | TASK [Enable additional port
> on firewalld] *************************************
> 2018-01-09 13:27:32,089 p=13550 u=ovirt | fatal: [dipovirt01.cnc.sk
> <http://dipovirt01.cnc.sk>]:
> FAILED! => {"changed": false, "module_stderr": "Shared connection to
> dipovirt01.cnc.sk <http://dipovirt01.cnc.sk> closed.\r\n",
> "module_stdout": "Traceback (most recent
> call last):\r\n File
> \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 936, in
> <module>\r\n main()\r\n File
> \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 788, in
> main\r\n module.fail(msg='firewall is not currently running, unable
> to perform immediate actions without a running firewall
> daemon')\r\nAttributeError: 'AnsibleModule' object has no attribute
> 'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}
> 2018-01-09 13:27:32,095 p=13550 u=ovirt | PLAY RECAP
> ************************************************************ *********
>
>
> After reinstalation the status of firewalld is
> [PROD] root@dipovirt01.cnc.sk <mailto:root@dipovirt01.cnc.sk>:
> /var/log/vdsm # systemctl status firewalld
> ● firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled;
> vendor preset: enabled)
> Active: inactive (dead)
> Docs: man:firewalld(1)
>
>
> So how could I switch to firewalld? package iptables-service could not
> be removed due the dependencies.
>
> Peter
>
> On 09/01/2018 09:35, Yedidyah Bar David wrote:
> >
> > 1) firewalld
> > after upgrade the hot server, the i needed to stop firewalld. It seems,
> > that, the rules are not generated correctly. The engine was not able to
> > connect to the host. How do I could fix it?
> >
> >
> > Please check/share relevant files from /var/log/ovirt-engine/ansible/
> > and /var/log/ovirt-engine/host-deploy/ . Or perhaps file a bug and
> > attach them there.
>
>
> --
> *Peter Hudec*
> Infraštruktúrny architekt
> phudec@cnc.sk <mailto:phudec@cnc.sk> <mailto:phudec@cnc.sk
> <mailto:phudec@cnc.sk>>
>
> *CNC, a.s.*
> Borská 6, 841 04 Bratislava
> Recepcia: +421 2 35 000 100 <tel:%2B421%202%C2%A0%2035%20000%20100>
>
> Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%20203>
> *www.cnc.sk <http://www.cnc.sk>* <http:///www.cnc.sk
> <http://www.cnc.sk>>
>
>
>
>
> --
> Didi
--
*Peter Hudec*
Infraštruktúrny architekt
phudec@cnc.sk <mailto:phudec@cnc.sk>
*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users