Hosts firewall custom setup
Hello, On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing since years with engine-config --set IPTablesConfigSiteCustom="blah blah blah". On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain the correct custom rules I added, but when manually checking with iptables -L, I don't see my rules active. On my hosts, I see that the iptables services is stopped and disabled, and that the firewalld service is up and running. That explains why iptables customization has no effect. In the engine setup, I see that /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains : OVESETUP_CONFIG/firewallManager=none:None I'm confused about this setting : when running engine-setup, I'm not sure to understand if answering yes to the question about the firewall will modify the engine, the hosts, or all of them? Actually, I'd like my engine to stay with a disabled firewall, but my hosts with an active one. Is it true to say that this is not an option and I have to answer yes, enable the firewall on the engine, allowing the OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or iptables), thus allowing the spread of this setup towards the hosts? Thank you. -- Nicolas ECARNOT
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing since years with engine-config --set IPTablesConfigSiteCustom="blah blah blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain the correct custom rules I added, but when manually checking with iptables -L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled, and that the firewalld service is up and running.
That explains why iptables customization has no effect.
Indeed. IIRC the type of firewall is now set per cluster or something like that, not sure about the details - adding Ondra.
In the engine setup, I see that /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains : OVESETUP_CONFIG/firewallManager=none:None
I'm confused about this setting : when running engine-setup, I'm not sure to understand if answering yes to the question about the firewall will modify the engine, the hosts, or all of them?
Only the engine.
Actually, I'd like my engine to stay with a disabled firewall, but my hosts with an active one.
So you should reply 'No' as you did in 'engine-setup', and handle iptables/firewalld on the engine after it's set up (upgraded), I think from the ui.
Is it true to say that this is not an option and I have to answer yes, enable the firewall on the engine, allowing the OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or iptables), thus allowing the spread of this setup towards the hosts?
No, they are unrelated. Best regards, -- Didi
Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing since years with engine-config --set IPTablesConfigSiteCustom="blah blah blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain the correct custom rules I added, but when manually checking with iptables -L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled, and that the firewalld service is up and running.
That explains why iptables customization has no effect.
Indeed.
IIRC the type of firewall is now set per cluster or something like that, not sure about the details - adding Ondra.
Per cluster, one can indeed choose the firewall type. I suppose it translates on the hosts into the activation of the adequate service. But how do we add custom rules in case of firewalld type? On the hosts, I imagine that could translate into changes in : /etc/firewalld/zones/public.xml -- Nicolas ECARNOT
On Mon, Feb 26, 2018 at 3:49 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing since years with engine-config --set IPTablesConfigSiteCustom="blah blah blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain the correct custom rules I added, but when manually checking with iptables -L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled, and that the firewalld service is up and running.
That explains why iptables customization has no effect.
Indeed.
IIRC the type of firewall is now set per cluster or something like that, not sure about the details - adding Ondra.
Per cluster, one can indeed choose the firewall type. I suppose it translates on the hosts into the activation of the adequate service. But how do we add custom rules in case of firewalld type?
Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/ Best regards,
On the hosts, I imagine that could translate into changes in : /etc/firewalld/zones/public.xml
-- Nicolas ECARNOT
-- Didi
Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :
But how do we add custom rules in case of firewalld type?
Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/ Hello Didi and al,
- I followed the advices found in this blog page, I created the exact same filename with the adequate content. - I've setup the cluster type to firewalld - I restarted ovirt-engine - I reinstalled a host I see no usage of this Ansible yml file. I see the creation of an ansible deploy log file for my host, and I see the usual firewall ports being opened, but I see nowhere any usage of the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file. - I added the debug msg part in the ansible recipe, but to no avail. - Huge grepping through the /var/log of the engine shows no calls of this script. Thus, I see no effect on ports of the host's firewalld config. What should I look at now? Thank you. -- Nicolas ECARNOT
On 02/27/2018 11:29 AM, Nicolas Ecarnot wrote:
Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :
But how do we add custom rules in case of firewalld type?
Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/ Hello Didi and al,
- I followed the advices found in this blog page, I created the exact same filename with the adequate content. - I've setup the cluster type to firewalld - I restarted ovirt-engine - I reinstalled a host
I see no usage of this Ansible yml file. I see the creation of an ansible deploy log file for my host, and I see the usual firewall ports being opened, but I see nowhere any usage of the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file. - I added the debug msg part in the ansible recipe, but to no avail. - Huge grepping through the /var/log of the engine shows no calls of this script.
Thus, I see no effect on ports of the host's firewalld config.
What should I look at now?
It looks like you hit the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1549163 It will be fixed in 4.2.2 release. I believe you can meanwhile remove line: - oVirt-metrics from file: /usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy/meta/main.yml
Thank you.
Hello, For the record : The workaround you suggest below is successful. Thank you. -- Nicolas Ecarnot Le 27/02/2018 à 14:15, Ondra Machacek a écrit :
On 02/27/2018 11:29 AM, Nicolas Ecarnot wrote:
Le 26/02/2018 à 15:00, Yedidyah Bar David a écrit :
But how do we add custom rules in case of firewalld type?
Please see: https://ovirt.org/blog/2017/12/host-deploy-customization/ Hello Didi and al,
- I followed the advices found in this blog page, I created the exact same filename with the adequate content. - I've setup the cluster type to firewalld - I restarted ovirt-engine - I reinstalled a host
I see no usage of this Ansible yml file. I see the creation of an ansible deploy log file for my host, and I see the usual firewall ports being opened, but I see nowhere any usage of the /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml file. - I added the debug msg part in the ansible recipe, but to no avail. - Huge grepping through the /var/log of the engine shows no calls of this script.
Thus, I see no effect on ports of the host's firewalld config.
What should I look at now?
It looks like you hit the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1549163
It will be fixed in 4.2.2 release.
I believe you can meanwhile remove line:
- oVirt-metrics
from file:
/usr/share/ovirt-engine/playbooks/roles/ovirt-host-deploy/meta/main.yml
Thank you.
On Mon, Feb 26, 2018 at 2:49 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 26/02/2018 à 14:03, Yedidyah Bar David a écrit :
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Hello,
On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing since years with engine-config --set IPTablesConfigSiteCustom="blah blah blah".
On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain the correct custom rules I added, but when manually checking with iptables -L, I don't see my rules active.
On my hosts, I see that the iptables services is stopped and disabled, and that the firewalld service is up and running.
That explains why iptables customization has no effect.
Indeed.
IIRC the type of firewall is now set per cluster or something like that, not sure about the details - adding Ondra.
Per cluster, one can indeed choose the firewall type. I suppose it translates on the hosts into the activation of the adequate service. But how do we add custom rules in case of firewalld type?
On the hosts, I imagine that could translate into changes in : /etc/firewalld/zones/public.xml
Please take a look at below RFE introducing firewalld support for host and blog post to read about new possibilities to customize host-deploy process (which also can be used for custom firewalld rules) in oVirt 4.2: https://bugzilla.redhat.com/show_bug.cgi?id=995362 https://www.ovirt.org/blog/2017/12/host-deploy-customization/
-- Nicolas ECARNOT _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Martin Perina Associate Manager, Software Engineering Red Hat Czech s.r.o.
participants (4)
-
Martin Perina -
Nicolas Ecarnot -
Ondra Machacek -
Yedidyah Bar David