How to notify cluster nodes after "engine-config --set IPTablesConfigSiteCustom..." ?
Hello oVirt guru`s ! oVirt Engine Version: 4.0.5.5-1.el7.centos I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Hmm. I just rebooted the host, but the iptables rules have not been updated :( On Engine server my custom iptables rules are visible: # engine-config --get IPTablesConfigSiteCustom IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general How to update the configuration on the hosts ? 23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hello oVirt guru`s !
oVirt Engine Version: 4.0.5.5-1.el7.centos
I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hmm. I just rebooted the host, but the iptables rules have not been updated :(
On Engine server my custom iptables rules are visible:
# engine-config --get IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general
How to update the configuration on the hosts ?
23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hello oVirt guru`s !
oVirt Engine Version: 4.0.5.5-1.el7.centos
I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
Hi Didi! https://www.mail-archive.com/users@ovirt.org/msg37193.html "Move to maintenance and reinstall" to add the iptables rules ? Are you serious? There is no other way (without reinstalling the hosts) ? 23.11.2016, 13:07, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hmm. I just rebooted the host, but the iptables rules have not been updated :(
On Engine server my custom iptables rules are visible:
# engine-config --get IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general
How to update the configuration on the hosts ?
23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hello oVirt guru`s !
oVirt Engine Version: 4.0.5.5-1.el7.centos
I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hi Didi!
https://www.mail-archive.com/users@ovirt.org/msg37193.html
"Move to maintenance and reinstall" to add the iptables rules ?
Are you serious?
There is no other way (without reinstalling the hosts) ?
AFAIK, using ovirt-host-deploy, no. I am not aware of an engine API or vdsm verb to do this, but these are not my main area of expertise. As I wrote there, you can also do this manually. The oVirt engine is not a replacement for configuration management systems. If you have complex needs, might as well uncheck this checkbox and use other means. Best,
23.11.2016, 13:07, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hmm. I just rebooted the host, but the iptables rules have not been updated :(
On Engine server my custom iptables rules are visible:
# engine-config --get IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general
How to update the configuration on the hosts ?
23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hello oVirt guru`s !
oVirt Engine Version: 4.0.5.5-1.el7.centos
I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
-- Didi
"As I wrote there, you can also do this manually" How? 23.11.2016, 14:23, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hi Didi!
https://www.mail-archive.com/users@ovirt.org/msg37193.html
"Move to maintenance and reinstall" to add the iptables rules ?
Are you serious?
There is no other way (without reinstalling the hosts) ?
AFAIK, using ovirt-host-deploy, no.
I am not aware of an engine API or vdsm verb to do this, but these are not my main area of expertise.
As I wrote there, you can also do this manually.
The oVirt engine is not a replacement for configuration management systems. If you have complex needs, might as well uncheck this checkbox and use other means.
Best,
23.11.2016, 13:07, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hmm. I just rebooted the host, but the iptables rules have not been updated :(
On Engine server my custom iptables rules are visible:
# engine-config --get IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general
How to update the configuration on the hosts ?
23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hello oVirt guru`s !
oVirt Engine Version: 4.0.5.5-1.el7.centos
I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
-- Didi
On Wed, Nov 23, 2016 at 1:54 PM, <aleksey.maksimov@it-kb.ru> wrote:
"As I wrote there, you can also do this manually"
How?
I am not sure I understand the question. The same way you configure iptables on non-oVirt-hosts machines. If you mean "How to imitate the way the engine does this during host deploy", then I don't know - you can check engine sources for that. I am guessing that you can get the values of IPTablesConfig and IPTablesConfigSiteCustom with engine-config, replace inside the latter "@CUSTOM_RULES@" with the contents of the former, then copy the result to the host and load it with iptables-restore (and/or copy to /etc/sysconfig/iptables and restart iptables service).
23.11.2016, 14:23, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hi Didi!
https://www.mail-archive.com/users@ovirt.org/msg37193.html
"Move to maintenance and reinstall" to add the iptables rules ?
Are you serious?
There is no other way (without reinstalling the hosts) ?
AFAIK, using ovirt-host-deploy, no.
I am not aware of an engine API or vdsm verb to do this, but these are not my main area of expertise.
As I wrote there, you can also do this manually.
The oVirt engine is not a replacement for configuration management systems. If you have complex needs, might as well uncheck this checkbox and use other means.
Best,
23.11.2016, 13:07, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hmm. I just rebooted the host, but the iptables rules have not been updated :(
On Engine server my custom iptables rules are visible:
# engine-config --get IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general
How to update the configuration on the hosts ?
23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>:
Hello oVirt guru`s !
oVirt Engine Version: 4.0.5.5-1.el7.centos
I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
-- Didi
-- Didi
Thank you Didi. The proposed method works. I described my experience here: https://blog.it-kb.ru/2016/11/24/extension-of-iptables-add-custom-rules-on-t... 23.11.2016, 16:12, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 1:54 PM, <aleksey.maksimov@it-kb.ru> wrote:
"As I wrote there, you can also do this manually"
How?
I am not sure I understand the question.
The same way you configure iptables on non-oVirt-hosts machines.
If you mean "How to imitate the way the engine does this during host deploy", then I don't know - you can check engine sources for that. I am guessing that you can get the values of IPTablesConfig and IPTablesConfigSiteCustom with engine-config, replace inside the latter "@CUSTOM_RULES@" with the contents of the former, then copy the result to the host and load it with iptables-restore (and/or copy to /etc/sysconfig/iptables and restart iptables service).
23.11.2016, 14:23, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hi Didi!
https://www.mail-archive.com/users@ovirt.org/msg37193.html
"Move to maintenance and reinstall" to add the iptables rules ?
Are you serious?
There is no other way (without reinstalling the hosts) ?
AFAIK, using ovirt-host-deploy, no.
I am not aware of an engine API or vdsm verb to do this, but these are not my main area of expertise.
As I wrote there, you can also do this manually.
The oVirt engine is not a replacement for configuration management systems. If you have complex needs, might as well uncheck this checkbox and use other means.
Best,
23.11.2016, 13:07, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hmm. I just rebooted the host, but the iptables rules have not been updated :(
On Engine server my custom iptables rules are visible:
# engine-config --get IPTablesConfigSiteCustom
IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general
How to update the configuration on the hosts ?
23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>: > Hello oVirt guru`s ! > > oVirt Engine Version: 4.0.5.5-1.el7.centos > > I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". > How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
-- Didi
-- Didi
On Thu, Nov 24, 2016 at 1:10 PM, <aleksey.maksimov@it-kb.ru> wrote:
Thank you Didi.
The proposed method works. I described my experience here: https://blog.it-kb.ru/2016/11/24/extension-of-iptables-add-custom-rules-on-t...
Thanks for this post, and the report! (although I can't read Russian). Best,
23.11.2016, 16:12, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 1:54 PM, <aleksey.maksimov@it-kb.ru> wrote:
"As I wrote there, you can also do this manually"
How?
I am not sure I understand the question.
The same way you configure iptables on non-oVirt-hosts machines.
If you mean "How to imitate the way the engine does this during host deploy", then I don't know - you can check engine sources for that. I am guessing that you can get the values of IPTablesConfig and IPTablesConfigSiteCustom with engine-config, replace inside the latter "@CUSTOM_RULES@" with the contents of the former, then copy the result to the host and load it with iptables-restore (and/or copy to /etc/sysconfig/iptables and restart iptables service).
23.11.2016, 14:23, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov@it-kb.ru> wrote:
Hi Didi!
https://www.mail-archive.com/users@ovirt.org/msg37193.html
"Move to maintenance and reinstall" to add the iptables rules ?
Are you serious?
There is no other way (without reinstalling the hosts) ?
AFAIK, using ovirt-host-deploy, no.
I am not aware of an engine API or vdsm verb to do this, but these are not my main area of expertise.
As I wrote there, you can also do this manually.
The oVirt engine is not a replacement for configuration management systems. If you have complex needs, might as well uncheck this checkbox and use other means.
Best,
23.11.2016, 13:07, "Yedidyah Bar David" <didi@redhat.com>:
On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov@it-kb.ru> wrote: > Hmm. I just rebooted the host, but the iptables rules have not been updated :( > > On Engine server my custom iptables rules are visible: > > # engine-config --get IPTablesConfigSiteCustom > > IPTablesConfigSiteCustom: > -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' > -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' > version: general > > How to update the configuration on the hosts ? > > 23.11.2016, 11:30, "aleksey.maksimov@it-kb.ru" <aleksey.maksimov@it-kb.ru>: >> Hello oVirt guru`s ! >> >> oVirt Engine Version: 4.0.5.5-1.el7.centos >> >> I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". >> How to notify cluster nodes (all virtualization hosts) about the changes without reboot?
Please check the other thread here "[ovirt-users] Hook to add firewall rules". Thanks.
> _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users
-- Didi
-- Didi
-- Didi
-- Didi
participants (2)
-
aleksey.maksimov@it-kb.ru -
Yedidyah Bar David