3:01 p.m.
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
since years with engine-config --set IPTablesConfigSiteCustom="blah blah
blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does
contain the correct custom rules I added, but when manually checking
with iptables -L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled,
and that the firewalld service is up and running.
That explains why iptables customization has no effect.
In the engine setup, I see that
/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains :
OVESETUP_CONFIG/firewallManager=none:None
I'm confused about this setting : when running engine-setup, I'm not
sure to understand if answering yes to the question about the firewall
will modify the engine, the hosts, or all of them?
Actually, I'd like my engine to stay with a disabled firewall, but my
hosts with an active one.
Is it true to say that this is not an option and I have to answer yes,
enable the firewall on the engine, allowing the
OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or
iptables), thus allowing the spread of this setup towards the hosts?
Thank you.
--
Nicolas ECARNOT
4:03 p.m.
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas(a)ecarnot.net> wrote:
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
since years with engine-config --set IPTablesConfigSiteCustom="blah blah
blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain
the correct custom rules I added, but when manually checking with iptables
-L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled, and
that the firewalld service is up and running.
That explains why iptables customization has no effect.
Indeed.
IIRC the type of firewall is now set per cluster or something like that, not
sure about the details - adding Ondra.
In the engine setup, I see that
/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains :
OVESETUP_CONFIG/firewallManager=none:None
I'm confused about this setting : when running engine-setup, I'm not sure to
understand if answering yes to the question about the firewall will modify
the engine, the hosts, or all of them?
Only the engine.
Actually, I'd like my engine to stay with a disabled firewall, but my hosts
with an active one.
So you should reply 'No' as you did in 'engine-setup', and handle
iptables/firewalld
on the engine after it's set up (upgraded), I think from the ui.
Is it true to say that this is not an option and I have to answer yes,
enable the firewall on the engine, allowing the
OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or
iptables), thus allowing the spread of this setup towards the hosts?
No, they are unrelated.
Best regards,
--
Didi
4:49 p.m.
Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot
<nicolas(a)ecarnot.net> wrote:
> Hello,
>
> On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
> since years with engine-config --set IPTablesConfigSiteCustom="blah blah
> blah".
>
> On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain
> the correct custom rules I added, but when manually checking with iptables
> -L, I don't see my rules active.
>
> On my hosts, I see that the iptables services is stopped and disabled, and
> that the firewalld service is up and running.
>
> That explains why iptables customization has no effect.
Indeed.
IIRC the type of firewall is now set per cluster or something like that, not
sure about the details - adding Ondra.
Per cluster, one can indeed choose the firewall type.
I suppose it translates on the hosts into the activation of the adequate
service.
But how do we add custom rules in case of firewalld type?
On the hosts, I imagine that could translate into changes in :
/etc/firewalld/zones/public.xml
--
Nicolas ECARNOT
5 p.m.
On Mon, Feb 26, 2018 at 3:49 PM, Nicolas Ecarnot <nicolas(a)ecarnot.net> wrote:
Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
>
> On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas(a)ecarnot.net>
> wrote:
>>
>> Hello,
>>
>> On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
>> since years with engine-config --set IPTablesConfigSiteCustom="blah blah
>> blah".
>>
>> On my hosts, I can see in my hosts that /etc/sysconfig/iptables does
>> contain
>> the correct custom rules I added, but when manually checking with
>> iptables
>> -L, I don't see my rules active.
>>
>> On my hosts, I see that the iptables services is stopped and disabled,
>> and
>> that the firewalld service is up and running.
>>
>> That explains why iptables customization has no effect.
>
>
> Indeed.
>
> IIRC the type of firewall is now set per cluster or something like that,
> not
> sure about the details - adding Ondra.
Per cluster, one can indeed choose the firewall type.
I suppose it translates on the hosts into the activation of the adequate
service.
But how do we add custom rules in case of firewalld type?
Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/
Best regards,
On the hosts, I imagine that could translate into changes in :
/etc/firewalld/zones/public.xml
--
Nicolas ECARNOT
--
Didi
1:29 p.m.
Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :
> But how do we add custom rules in case of firewalld type?
Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/
Hello Didi
and al,
- I followed the advices found in this blog page, I created the exact
same filename with the adequate content.
- I've setup the cluster type to firewalld
- I restarted ovirt-engine
- I reinstalled a host
I see no usage of this Ansible yml file.
I see the creation of an ansible deploy log file for my host, and I see
the usual firewall ports being opened, but I see nowhere any usage of
the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file.
- I added the debug msg part in the ansible recipe, but to no avail.
- Huge grepping through the /var/log of the engine shows no calls of
this script.
Thus, I see no effect on ports of the host's firewalld config.
What should I look at now?
Thank you.
--
Nicolas ECARNOT
4:15 p.m.
On 02/27/2018 11:29 AM, Nicolas Ecarnot wrote:
Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :
>> But how do we add custom rules in case of firewalld type?
>
> Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/
Hello Didi and al,
- I followed the advices found in this blog page, I created the exact
same filename with the adequate content.
- I've setup the cluster type to firewalld
- I restarted ovirt-engine
- I reinstalled a host
I see no usage of this Ansible yml file.
I see the creation of an ansible deploy log file for my host, and I see
the usual firewall ports being opened, but I see nowhere any usage of
the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file.
- I added the debug msg part in the ansible recipe, but to no avail.
- Huge grepping through the /var/log of the engine shows no calls of
this script.
Thus, I see no effect on ports of the host's firewalld config.
What should I look at now?
It looks like you hit the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1549163
It will be fixed in 4.2.2 release.
I believe you can meanwhile remove line:
- oVirt-metrics
from file:
/usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy/meta/main.yml
Thank you.
10:46 a.m.
Hello,
For the record :
The workaround you suggest below is successful.
Thank you.
--
Nicolas Ecarnot
Le 27/02/2018 à 14:15, Ondra Machacek a écrit :
On 02/27/2018 11:29 AM, Nicolas Ecarnot wrote:
> Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :
>>> But how do we add custom rules in case of firewalld type?
>>
>> Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/
> Hello Didi and al,
>
> - I followed the advices found in this blog page, I created the exact
> same filename with the adequate content.
> - I've setup the cluster type to firewalld
> - I restarted ovirt-engine
> - I reinstalled a host
>
> I see no usage of this Ansible yml file.
> I see the creation of an ansible deploy log file for my host, and I
> see the usual firewall ports being opened, but I see nowhere any usage
> of the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file.
> - I added the debug msg part in the ansible recipe, but to no avail.
> - Huge grepping through the /var/log of the engine shows no calls of
> this script.
>
> Thus, I see no effect on ports of the host's firewalld config.
>
> What should I look at now?
It looks like you hit the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1549163
It will be fixed in 4.2.2 release.
I believe you can meanwhile remove line:
- oVirt-metrics
from file:
/usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy/meta/main.yml
>
> Thank you.
>
5:06 p.m.
On Mon, Feb 26, 2018 at 2:49 PM, Nicolas Ecarnot <nicolas(a)ecarnot.net>
wrote:
Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
> On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas(a)ecarnot.net>
> wrote:
>
>> Hello,
>>
>> On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
>> since years with engine-config --set IPTablesConfigSiteCustom="blah blah
>> blah".
>>
>> On my hosts, I can see in my hosts that /etc/sysconfig/iptables does
>> contain
>> the correct custom rules I added, but when manually checking with
>> iptables
>> -L, I don't see my rules active.
>>
>> On my hosts, I see that the iptables services is stopped and disabled,
>> and
>> that the firewalld service is up and running.
>>
>> That explains why iptables customization has no effect.
>>
>
> Indeed.
>
> IIRC the type of firewall is now set per cluster or something like that,
> not
> sure about the details - adding Ondra.
>
Per cluster, one can indeed choose the firewall type.
I suppose it translates on the hosts into the activation of the adequate
service.
But how do we add custom rules in case of firewalld type?
On the hosts, I imagine that could translate into changes in :
/etc/firewalld/zones/public.xml
Please take a look at below RFE introducing firewalld support for host and
blog post to read about new possibilities to customize host-deploy process
(which also can be used for custom firewalld rules) in oVirt 4.2:
https://bugzilla.redhat.com/show_bug.cgi?id=995362
https://www.ovirt.org/blog/2017/12/host-deploy-customization/
--
Nicolas ECARNOT
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
2459
days inactive
2461
days old
7 comments
4 participants
participants (4)
-
Martin Perina -
Nicolas Ecarnot -
Ondra Machacek -
Yedidyah Bar David