On Wed, Apr 5, 2017 at 10:08 AM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:

Suppose I want to disable firewall at already installed hypervisor side (eg because I want to setup OVN and currently if I remember correctly it needs to be disabled for that),

IIUC it does provide firewalld service files, no? Never tried or read anything about it, I only know this from reviewing related patches... https://gerrit.ovirt.org/74021 It does mean you need to disable iptables, enable firewalld, and handle firewalld on your own (the engine won't help you). An alternative is to manually find out the ports you need open and add them to IPTablesConfigSiteCustom. This only affects hosts during (re)installation.

can I simply disable the related services through

systemctl stop iptables systemctl disable iptables

systemctl stop firewalld systemctl disable firewalld

Or is anything else to do at hypervisor and/or engine side? I don't see anything in web admin gui editing the host, while when I add the host there is the checkbox "Automatically configure host firewall"....

Indeed. The engine does not manage the firewall on hosts except during deploy. See also: https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/ Best,

Thanks, Gianluca

_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

-- Didi