Hmm. I just rebooted the host, but the iptables rules have not been updated :( On Engine server my custom iptables rules are visible: # engine-config --get IPTablesConfigSiteCustom IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' version: general How to update the configuration on the hosts ? 23.11.2016, 11:30, &quot;aleksey.maksimov(a)it-kb.ru&quot; <aleksey.maksimov(a)it-kb.ru&gt;: > Hello oVirt guru`s ! > > oVirt Engine Version: 4.0.5.5-1.el7.centos > > I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". > How to notify cluster nodes (all virtualization hosts) about the changes without reboot?

_______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Hi Didi! https://www.mail-archive.com/users@ovirt.org/msg37193.html "Move to maintenance and reinstall" to add the iptables rules ? Are you serious? There is no other way (without reinstalling the hosts) ?

23.11.2016, 13:07, "Yedidyah Bar David" <didi(a)redhat.com&gt;: > On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov(a)it-kb.ru&gt; wrote: >> Hmm. I just rebooted the host, but the iptables rules have not been updated :( >> >> On Engine server my custom iptables rules are visible: >> >> # engine-config --get IPTablesConfigSiteCustom >> >> IPTablesConfigSiteCustom: >> -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' >> -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' >> version: general >> >> How to update the configuration on the hosts ? >> >> 23.11.2016, 11:30, &quot;aleksey.maksimov(a)it-kb.ru&quot; <aleksey.maksimov(a)it-kb.ru&gt;: >>> Hello oVirt guru`s ! >>> >>> oVirt Engine Version: 4.0.5.5-1.el7.centos >>> >>> I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". >>> How to notify cluster nodes (all virtualization hosts) about the changes without reboot? > > Please check the other thread here "[ovirt-users] Hook to add firewall > rules". Thanks. > >> _______________________________________________ >> Users mailing list >> Users(a)ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > > -- > Didi

"As I wrote there, you can also do this manually" How?

23.11.2016, 14:23, "Yedidyah Bar David" <didi(a)redhat.com&gt;: > On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov(a)it-kb.ru&gt; wrote: >> Hi Didi! >> >> https://www.mail-archive.com/users@ovirt.org/msg37193.html >> >> "Move to maintenance and reinstall" to add the iptables rules ? >> >> Are you serious? >> >> There is no other way (without reinstalling the hosts) ? > > AFAIK, using ovirt-host-deploy, no. > > I am not aware of an engine API or vdsm verb to do this, but these are > not my main area of expertise. > > As I wrote there, you can also do this manually. > > The oVirt engine is not a replacement for configuration management > systems. If you have complex needs, might as well uncheck this > checkbox and use other means. > > Best, > >> 23.11.2016, 13:07, "Yedidyah Bar David" <didi(a)redhat.com&gt;: >>> On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov(a)it-kb.ru&gt; wrote: >>>> Hmm. I just rebooted the host, but the iptables rules have not been updated :( >>>> >>>> On Engine server my custom iptables rules are visible: >>>> >>>> # engine-config --get IPTablesConfigSiteCustom >>>> >>>> IPTablesConfigSiteCustom: >>>> -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' >>>> -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' >>>> version: general >>>> >>>> How to update the configuration on the hosts ? >>>> >>>> 23.11.2016, 11:30, &quot;aleksey.maksimov(a)it-kb.ru&quot; <aleksey.maksimov(a)it-kb.ru&gt;: >>>>> Hello oVirt guru`s ! >>>>> >>>>> oVirt Engine Version: 4.0.5.5-1.el7.centos >>>>> >>>>> I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". >>>>> How to notify cluster nodes (all virtualization hosts) about the changes without reboot? >>> >>> Please check the other thread here "[ovirt-users] Hook to add firewall >>> rules". Thanks. >>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>> >>> -- >>> Didi > > -- > Didi

Thank you Didi. The proposed method works. I described my experience here: https://blog.it-kb.ru/2016/11/24/extension-of-iptables-add-custom-rules-o...

23.11.2016, 16:12, "Yedidyah Bar David" <didi(a)redhat.com&gt;: > On Wed, Nov 23, 2016 at 1:54 PM, <aleksey.maksimov(a)it-kb.ru&gt; wrote: >> "As I wrote there, you can also do this manually" >> >> How? > > I am not sure I understand the question. > > The same way you configure iptables on non-oVirt-hosts machines. > > If you mean "How to imitate the way the engine does this during > host deploy", then I don't know - you can check engine sources > for that. I am guessing that you can get the values of IPTablesConfig > and IPTablesConfigSiteCustom with engine-config, replace inside the > latter "@CUSTOM_RULES@" with the contents of the former, then copy > the result to the host and load it with iptables-restore (and/or > copy to /etc/sysconfig/iptables and restart iptables service). > >> 23.11.2016, 14:23, "Yedidyah Bar David" <didi(a)redhat.com&gt;: >>> On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksimov(a)it-kb.ru&gt; wrote: >>>> Hi Didi! >>>> >>>> https://www.mail-archive.com/users@ovirt.org/msg37193.html >>>> >>>> "Move to maintenance and reinstall" to add the iptables rules ? >>>> >>>> Are you serious? >>>> >>>> There is no other way (without reinstalling the hosts) ? >>> >>> AFAIK, using ovirt-host-deploy, no. >>> >>> I am not aware of an engine API or vdsm verb to do this, but these are >>> not my main area of expertise. >>> >>> As I wrote there, you can also do this manually. >>> >>> The oVirt engine is not a replacement for configuration management >>> systems. If you have complex needs, might as well uncheck this >>> checkbox and use other means. >>> >>> Best, >>> >>>> 23.11.2016, 13:07, "Yedidyah Bar David" <didi(a)redhat.com&gt;: >>>>> On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksimov(a)it-kb.ru&gt; wrote: >>>>>> Hmm. I just rebooted the host, but the iptables rules have not been updated :( >>>>>> >>>>>> On Engine server my custom iptables rules are visible: >>>>>> >>>>>> # engine-config --get IPTablesConfigSiteCustom >>>>>> >>>>>> IPTablesConfigSiteCustom: >>>>>> -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE System Management Homepage' >>>>>> -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE System Management Homepage (Secure port)' >>>>>> version: general >>>>>> >>>>>> How to update the configuration on the hosts ? >>>>>> >>>>>> 23.11.2016, 11:30, &quot;aleksey.maksimov(a)it-kb.ru&quot; <aleksey.maksimov(a)it-kb.ru&gt;: >>>>>>> Hello oVirt guru`s ! >>>>>>> >>>>>>> oVirt Engine Version: 4.0.5.5-1.el7.centos >>>>>>> >>>>>>> I updated the configuration of the firewall on the Engine server with "engine-config --set IPTablesConfigSiteCustom...". >>>>>>> How to notify cluster nodes (all virtualization hosts) about the changes without reboot? >>>>> >>>>> Please check the other thread here "[ovirt-users] Hook to add firewall >>>>> rules". Thanks. >>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users(a)ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>>> -- >>>>> Didi >>> >>> -- >>> Didi > > -- > Didi