5:38 p.m.
Hello,
I'm working on migrating an existing ovirt setup to a new hosted-engine
setup and I've been seeing messages about iptables support being deprecated
and slated to be removed.
Can I continue using iptables to manage the firewalls on my ovirt hosts if
I don't care about allowing ovirt to configure the firewalls?
We manage all of our machines with puppet and iptables is deeply integrated
into this. It would be non-trivial to migrate to firewalld support.
As it stands I already manage the firewall rules for our ovirt hosts with
puppet and iptables and have always ignored the "Automatically Configure
Firewall" option when adding new hosts. Will this continue to work?
Also with hosted engine, I had to cowboy enable firewalld to get the engine
installed, but now that I've got a cluster up and running with hosted
engine enabled on several hosts, can I just switch back from firewalld to
iptables assuming I've got all the correct ports open?
Thank you,
Jordan Conway
10:17 p.m.
I’m in the same boat, puppet managing iptables rules, and was able to continue forcing it
on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it hasn’t
broken anything.
-Darrell
On Jul 4, 2019, at 9:38 AM, Jordan Conway
<jconway(a)linuxfoundation.org> wrote:
Hello,
I'm working on migrating an existing ovirt setup to a new hosted-engine setup and
I've been seeing messages about iptables support being deprecated and slated to be
removed.
Can I continue using iptables to manage the firewalls on my ovirt hosts if I don't
care about allowing ovirt to configure the firewalls?
We manage all of our machines with puppet and iptables is deeply integrated into this. It
would be non-trivial to migrate to firewalld support.
As it stands I already manage the firewall rules for our ovirt hosts with puppet and
iptables and have always ignored the "Automatically Configure Firewall" option
when adding new hosts. Will this continue to work?
Also with hosted engine, I had to cowboy enable firewalld to get the engine installed,
but now that I've got a cluster up and running with hosted engine enabled on several
hosts, can I just switch back from firewalld to iptables assuming I've got all the
correct ports open?
Thank you,
Jordan Conway
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKA...
6:13 p.m.
Same here. Our engine is configured to use iptables and works fine. I
really wish RedHat would stop trying to force firewalld on everything.
It isn't needed and causes issues with environments using the
puppetlabs-firewall module.
On 7/4/19 3:17 PM, Darrell Budic wrote:
> I’m in the same boat, puppet managing iptables rules, and was able to continue
forcing it on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it
hasn’t broken anything.
>
> -Darrell
>
>
>> On Jul 4, 2019, at 9:38 AM, Jordan Conway <jconway(a)linuxfoundation.org>
wrote:
>>
>> Hello,
>> I'm working on migrating an existing ovirt setup to a new hosted-engine setup
and I've been seeing messages about iptables support being deprecated and slated to be
removed.
>> Can I continue using iptables to manage the firewalls on my ovirt hosts if I
don't care about allowing ovirt to configure the firewalls?
>> We manage all of our machines with puppet and iptables is deeply integrated into
this. It would be non-trivial to migrate to firewalld support.
>> As it stands I already manage the firewall rules for our ovirt hosts with puppet
and iptables and have always ignored the "Automatically Configure Firewall"
option when adding new hosts. Will this continue to work?
>>
>> Also with hosted engine, I had to cowboy enable firewalld to get the engine
installed, but now that I've got a cluster up and running with hosted engine enabled
on several hosts, can I just switch back from firewalld to iptables assuming I've got
all the correct ports open?
>>
>> Thank you,
>> Jordan Conway
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
>> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKA...
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HKXXY6KFVI...
12:12 p.m.
On Thu, Jul 4, 2019 at 10:20 PM Darrell Budic <budic(a)onholyground.com> wrote:
I’m in the same boat, puppet managing iptables rules, and was able to continue forcing it
on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it hasn’t
broken anything.
In "complains all the time" you mean that it asks "Do you want Setup
to configure the firewall? "?
If you reply 'No', it shouldn't do anything at all to the firewall.
If you reply 'Yes' and it breaks stuff, please report a bug. Thanks.
If you want to get rid of this question, you can add to your
answerfile (or your own custom .conf file in
/etc/ovirt-engine-setup.conf.d/ ):
OVESETUP_CONFIG/updateFirewall=bool:False
See also:
https://www.ovirt.org/develop/developer-guide/engine/engine-setup.html
-Darrell
> On Jul 4, 2019, at 9:38 AM, Jordan Conway <jconway(a)linuxfoundation.org>
wrote:
>
> Hello,
> I'm working on migrating an existing ovirt setup to a new hosted-engine setup
and I've been seeing messages about iptables support being deprecated and slated to be
removed.
> Can I continue using iptables to manage the firewalls on my ovirt hosts if I
don't care about allowing ovirt to configure the firewalls?
I think you can.
> We manage all of our machines with puppet and iptables is deeply
integrated into this. It would be non-trivial to migrate to firewalld support.
> As it stands I already manage the firewall rules for our ovirt hosts with puppet and
iptables and have always ignored the "Automatically Configure Firewall" option
when adding new hosts. Will this continue to work?
>
> Also with hosted engine, I had to cowboy enable firewalld to get the engine
installed, but now that I've got a cluster up and running with hosted engine enabled
on several hosts, can I just switch back from firewalld to iptables assuming I've got
all the correct ports open?
I think it's only enforced during initial setup, as you saw yourself - see also:
https://bugzilla.redhat.com/show_bug.cgi?id=1608467
Best regards,
--
Didi
1951
days inactive
1962
days old
3 comments
4 participants
participants (4)
-
Darrell Budic -
Jordan Conway -
Michael Watters -
Yedidyah Bar David