During setup, I allowed the script to change iptables rules. Is this necessary? Also, is it an "active" management (where oVirt will make changes), or just a one-time thing? I ask because I have some other iptables setup I want (such as limited SSH access), and I don't want to make changes to iptables that oVirt will override later or anything like that. -- Chris Adams <cma@cmadams.net>
----- Original Message -----
From: "Chris Adams" <cma@cmadams.net> To: users@ovirt.org Sent: Monday, November 17, 2014 8:48:59 PM Subject: [ovirt-users] iptables management
During setup, I allowed the script to change iptables rules. Is this necessary? Also, is it an "active" management (where oVirt will make changes), or just a one-time thing?
I ask because I have some other iptables setup I want (such as limited SSH access), and I don't want to make changes to iptables that oVirt will override later or anything like that.
I guess you mean engine setup, right? Each time you run engine-setup you will be prompt if you want to override iptables settings. If you choose to override, the current settings will be backed up and you can diff and re-apply your own. If you choose to keep your settings, setup will write the iptables rules into own location and you can diff and apply the changes manually. Alon
Once upon a time, Alon Bar-Lev <alonbl@redhat.com> said:
I guess you mean engine setup, right?
Yes, that and hosted-engine --deploy.
Each time you run engine-setup you will be prompt if you want to override iptables settings. If you choose to override, the current settings will be backed up and you can diff and re-apply your own. If you choose to keep your settings, setup will write the iptables rules into own location and you can diff and apply the changes manually.
Okay, so that's the only time iptables are changed? That makes sense, and I can work with that. Thanks. -- Chris Adams <cma@cmadams.net>
----- Original Message -----
From: "Chris Adams" <cma@cmadams.net> To: users@ovirt.org Sent: Monday, November 17, 2014 11:22:42 PM Subject: Re: [ovirt-users] iptables management
Once upon a time, Alon Bar-Lev <alonbl@redhat.com> said:
I guess you mean engine setup, right?
Yes, that and hosted-engine --deploy.
hosted-engine --deploy does not touch iptables of the engine VM. engine-setup inside that VM does that. hosted-engine --deploy does two other things: 1. It changes iptables to let you access the engine VM console (spice/vnc) 2. Later, when it adds itself as a host to the engine, it tells the engine to configure iptables for itself as a host (just as is the default when adding hosts through the gui). We have an open bug [1] to make that configurable. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1080823
Each time you run engine-setup you will be prompt if you want to override iptables settings. If you choose to override, the current settings will be backed up and you can diff and re-apply your own. If you choose to keep your settings, setup will write the iptables rules into own location and you can diff and apply the changes manually.
Okay, so that's the only time iptables are changed? That makes sense, and I can work with that. Thanks. -- Chris Adams <cma@cmadams.net> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Chris Adams" <cma@cmadams.net> Cc: users@ovirt.org Sent: Monday, November 17, 2014 8:53:25 PM Subject: Re: [ovirt-users] iptables management
----- Original Message -----
From: "Chris Adams" <cma@cmadams.net> To: users@ovirt.org Sent: Monday, November 17, 2014 8:48:59 PM Subject: [ovirt-users] iptables management
During setup, I allowed the script to change iptables rules. Is this necessary? Also, is it an "active" management (where oVirt will make changes), or just a one-time thing?
Just to clarify - it's a "one-time", per run of engine-setup as Alon explained. The engine does not touch iptables of its machine.
I ask because I have some other iptables setup I want (such as limited SSH access), and I don't want to make changes to iptables that oVirt will override later or anything like that.
I guess you mean engine setup, right? Each time you run engine-setup you will be prompt if you want to override iptables settings. If you choose to override, the current settings will be backed up and you can diff and re-apply your own.
And since recently (will be in 3.6 when it's out) we also try to notify when manual changes were made to iptables since previous engine-setup, see [1]. [1] http://gerrit.ovirt.org/33085
If you choose to keep your settings, setup will write the iptables rules into own location and you can diff and apply the changes manually.
And also show details on the console in the end of engine-setup. -- Didi
participants (3)
-
Alon Bar-Lev -
Chris Adams -
Yedidyah Bar David