Hello, I'm working on migrating an existing ovirt setup to a new hosted-engine setup and I've been seeing messages about iptables support being deprecated and slated to be removed. Can I continue using iptables to manage the firewalls on my ovirt hosts if I don't care about allowing ovirt to configure the firewalls? We manage all of our machines with puppet and iptables is deeply integrated into this. It would be non-trivial to migrate to firewalld support. As it stands I already manage the firewall rules for our ovirt hosts with puppet and iptables and have always ignored the "Automatically Configure Firewall" option when adding new hosts. Will this continue to work? Also with hosted engine, I had to cowboy enable firewalld to get the engine installed, but now that I've got a cluster up and running with hosted engine enabled on several hosts, can I just switch back from firewalld to iptables assuming I've got all the correct ports open? Thank you, Jordan Conway
I’m in the same boat, puppet managing iptables rules, and was able to continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it hasn’t broken anything. -Darrell
On Jul 4, 2019, at 9:38 AM, Jordan Conway <jconway@linuxfoundation.org> wrote:
Hello, I'm working on migrating an existing ovirt setup to a new hosted-engine setup and I've been seeing messages about iptables support being deprecated and slated to be removed. Can I continue using iptables to manage the firewalls on my ovirt hosts if I don't care about allowing ovirt to configure the firewalls? We manage all of our machines with puppet and iptables is deeply integrated into this. It would be non-trivial to migrate to firewalld support. As it stands I already manage the firewall rules for our ovirt hosts with puppet and iptables and have always ignored the "Automatically Configure Firewall" option when adding new hosts. Will this continue to work?
Also with hosted engine, I had to cowboy enable firewalld to get the engine installed, but now that I've got a cluster up and running with hosted engine enabled on several hosts, can I just switch back from firewalld to iptables assuming I've got all the correct ports open?
Thank you, Jordan Conway _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKAOGH...
Same here. Our engine is configured to use iptables and works fine. I really wish RedHat would stop trying to force firewalld on everything. It isn't needed and causes issues with environments using the puppetlabs-firewall module. On 7/4/19 3:17 PM, Darrell Budic wrote:
I’m in the same boat, puppet managing iptables rules, and was able to continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it hasn’t broken anything.
-Darrell
On Jul 4, 2019, at 9:38 AM, Jordan Conway <jconway@linuxfoundation.org> wrote:
Hello, I'm working on migrating an existing ovirt setup to a new hosted-engine setup and I've been seeing messages about iptables support being deprecated and slated to be removed. Can I continue using iptables to manage the firewalls on my ovirt hosts if I don't care about allowing ovirt to configure the firewalls? We manage all of our machines with puppet and iptables is deeply integrated into this. It would be non-trivial to migrate to firewalld support. As it stands I already manage the firewall rules for our ovirt hosts with puppet and iptables and have always ignored the "Automatically Configure Firewall" option when adding new hosts. Will this continue to work?
Also with hosted engine, I had to cowboy enable firewalld to get the engine installed, but now that I've got a cluster up and running with hosted engine enabled on several hosts, can I just switch back from firewalld to iptables assuming I've got all the correct ports open?
Thank you, Jordan Conway _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKAOGH...
Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HKXXY6KFVICSG...
On Thu, Jul 4, 2019 at 10:20 PM Darrell Budic <budic@onholyground.com> wrote:
I’m in the same boat, puppet managing iptables rules, and was able to continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it hasn’t broken anything.
In "complains all the time" you mean that it asks "Do you want Setup to configure the firewall? "? If you reply 'No', it shouldn't do anything at all to the firewall. If you reply 'Yes' and it breaks stuff, please report a bug. Thanks. If you want to get rid of this question, you can add to your answerfile (or your own custom .conf file in /etc/ovirt-engine-setup.conf.d/ ): OVESETUP_CONFIG/updateFirewall=bool:False See also: https://www.ovirt.org/develop/developer-guide/engine/engine-setup.html
-Darrell
On Jul 4, 2019, at 9:38 AM, Jordan Conway <jconway@linuxfoundation.org> wrote:
Hello, I'm working on migrating an existing ovirt setup to a new hosted-engine setup and I've been seeing messages about iptables support being deprecated and slated to be removed. Can I continue using iptables to manage the firewalls on my ovirt hosts if I don't care about allowing ovirt to configure the firewalls?
I think you can.
We manage all of our machines with puppet and iptables is deeply integrated into this. It would be non-trivial to migrate to firewalld support. As it stands I already manage the firewall rules for our ovirt hosts with puppet and iptables and have always ignored the "Automatically Configure Firewall" option when adding new hosts. Will this continue to work?
Also with hosted engine, I had to cowboy enable firewalld to get the engine installed, but now that I've got a cluster up and running with hosted engine enabled on several hosts, can I just switch back from firewalld to iptables assuming I've got all the correct ports open?
I think it's only enforced during initial setup, as you saw yourself - see also: https://bugzilla.redhat.com/show_bug.cgi?id=1608467 Best regards, -- Didi
participants (4)
-
Darrell Budic -
Jordan Conway -
Michael Watters -
Yedidyah Bar David