Doubt about iptables host config
Hello, I have read this interesting blog post https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/ In my case, to allow incoming connections from Nagios server to connect to Nagios nrpe daemon installed on hosts I have run [root@ovmgr1 ~]# engine-config --set IPTablesConfigSiteCustom='
-A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT ' [root@ovmgr1 ~]#
and systemctl restart ovirt-engine BTW: the link above misses the final ' apex at the end of the similar command in the given example On my oVirt running host (CentOS 7.4) in the mean time I have run [g.cecchi@ov300 ~]$ sudo iptables -I INPUT 16 -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT In fact the current "reject-with icmp-host-prohibited" was line 16 and I have inserted it right before. So far so good. I have a doubt if, in case of host put into maintenance and then reactivated, or rebooted, the rule will remain. Or do I have anyway to put any line in any file on host to set it persistently? I wouldn't like to go and reinstall it only to statically set a new iptables rule. Thanks, Gianluca
On Tue, Oct 3, 2017 at 11:51 AM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
Hello, I have read this interesting blog post https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
In my case, to allow incoming connections from Nagios server to connect to Nagios nrpe daemon installed on hosts I have run
[root@ovmgr1 ~]# engine-config --set IPTablesConfigSiteCustom='
-A INPUT -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT ' [root@ovmgr1 ~]#
and
systemctl restart ovirt-engine
BTW: the link above misses the final ' apex at the end of the similar command in the given example
On my oVirt running host (CentOS 7.4) in the mean time I have run
[g.cecchi@ov300 ~]$ sudo iptables -I INPUT 16 -p tcp --dport 5666 -s 10.4.5.99/32 -m comment --comment "Nagios NRPE daemon" -j ACCEPT
In fact the current "reject-with icmp-host-prohibited" was line 16 and I have inserted it right before.
So far so good.
I have a doubt if, in case of host put into maintenance and then reactivated, or rebooted, the rule will remain.
AFAIU nothing touches iptables conf on hosts except for host-deploy (Re/Install).
Or do I have anyway to put any line in any file on host to set it persistently?
I think it should be safe to manually edit /etc/sysconfig/iptables in that case. Of course, verify on a test system. Also, you might be happy to know that in 4.2 we'll support firewalld, which is much nicer to work with than patching/generating /etc/sysconfig/iptables. See also: https://bugzilla.redhat.com/show_bug.cgi?id=995362
I wouldn't like to go and reinstall it only to statically set a new iptables rule.
Thanks, Gianluca
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
On Tue, Oct 3, 2017 at 11:36 AM, Yedidyah Bar David <didi@redhat.com> wrote:
I think it should be safe to manually edit /etc/sysconfig/iptables in that case.
Of course, verify on a test system.
Also, you might be happy to know that in 4.2 we'll support firewalld, which is much nicer to work with than patching/generating /etc/sysconfig/iptables. See also:
OK, thanks. It worked. Nice to see the news about firewalld. And if I want to do the same for the engine, that indeed is configured with firewalld? Currently on it I see this kind of configuration: [root@ovmgr1 ~]# firewall-cmd --get-default-zone public [root@ovmgr1 ~]# [root@ovmgr1 ~]# firewall-cmd --get-active-zones public interfaces: ens192 [root@ovmgr1 ~]# It seems nrpe is already an usable predefined service: [root@ovmgr1 ~]# firewall-cmd --get-services | tr -s ' ' '\n' | grep nrpe nrpe [root@ovmgr1 ~]# So, based on current config, I can add it this way: firewall-cmd --permanent --add-service=nrpe firewall-cmd --reload This way it should survive an engine reboot, but will it survive an engine-setup command run when updating configuration or when upgrading between minor/major updates? Or should I manage also some oVirt managed files on engine? Thanks, Gianluca
On Tue, Oct 3, 2017 at 1:49 PM, Gianluca Cecchi <gianluca.cecchi@gmail.com> wrote:
On Tue, Oct 3, 2017 at 11:36 AM, Yedidyah Bar David <didi@redhat.com> wrote:
I think it should be safe to manually edit /etc/sysconfig/iptables in that case.
Of course, verify on a test system.
Also, you might be happy to know that in 4.2 we'll support firewalld, which is much nicer to work with than patching/generating /etc/sysconfig/iptables. See also:
OK, thanks. It worked.
Nice to see the news about firewalld.
And if I want to do the same for the engine, that indeed is configured with firewalld?
Currently on it I see this kind of configuration:
[root@ovmgr1 ~]# firewall-cmd --get-default-zone public [root@ovmgr1 ~]#
[root@ovmgr1 ~]# firewall-cmd --get-active-zones public interfaces: ens192 [root@ovmgr1 ~]#
It seems nrpe is already an usable predefined service: [root@ovmgr1 ~]# firewall-cmd --get-services | tr -s ' ' '\n' | grep nrpe nrpe [root@ovmgr1 ~]#
So, based on current config, I can add it this way:
firewall-cmd --permanent --add-service=nrpe firewall-cmd --reload
This way it should survive an engine reboot, but will it survive an engine-setup command run when updating configuration or when upgrading between minor/major updates?
It should, yes.
Or should I manage also some oVirt managed files on engine?
engine-setup should in principle never touch existing services, only add new ones. This is different with iptables. engine-setup generates a new conf file, and saves it (also) in /etc/ovirt-engine/iptables.example . On upgrade, it compares it to the system-wide file /etc/sysconfig/iptables, and if they differ, it prompts to confirm, optionally showing you the diff. Regards, -- Didi
participants (2)
-
Gianluca Cecchi -
Yedidyah Bar David