Hook to add firewall rules
------=_=-_OpenGroupware_org_NGMime-9224-1479426132.656558-0------ content-type: text/plain; charset=utf-8 content-length: 176 content-transfer-encoding: quoted-printable I've implemented sucessfully a hook to edit the configuration of some o= f my nics on my ovirt hosts. Is there a way to add firewall rules (iptables) with vdsm hooks? =C2=A0 ------=_=-_OpenGroupware_org_NGMime-9224-1479426132.656558-0------ content-type: text/html; charset=utf-8 content-length: 210 content-transfer-encoding: quoted-printable <html>I've implemented sucessfully a hook to edit the configuration= of some of my nics on my ovirt hosts.<br /><br />Is there a way to add= firewall rules (iptables) with vdsm hooks?<br /> </html> ------=_=-_OpenGroupware_org_NGMime-9224-1479426132.656558-0--------
On Fri, Nov 18, 2016 at 1:42 AM, Claude Durocher <claude.durocher@cptaq.gouv.qc.ca> wrote:
I've implemented sucessfully a hook to edit the configuration of some of my nics on my ovirt hosts.
Is there a way to add firewall rules (iptables) with vdsm hooks?
Please search for 'IPTablesConfigSiteCustom'. Best, -- Didi
------=_=-_OpenGroupware_org_NGMime-10555-1479757534.695300-6------ content-type: text/plain; charset=utf-8 content-length: 610 content-transfer-encoding: quoted-printable Ok, i've configured my custom iptable rules with "engine-config --get I= PTablesConfigSiteCustom" on the engine. Now, how do I apply this on alr= eady deployed nodes? Le Dimanche, Novembre 20, 2016 02:51 EST, Yedidyah Bar David <didi@redh= at.com> a =C3=A9crit: =C2=A0On Fri, Nov 18, 2016 at 1:42 AM, Claude Durocher <claude.durocher@cptaq.gouv.qc.ca> wrote:
I've implemented sucessfully a hook to edit the configuration of some= of my nics on my ovirt hosts.
Is there a way to add firewall rules (iptables) with vdsm hooks?
Please search for 'IPTablesConfigSiteCustom'. Best, -- Didi =C2=A0 ------=_=-_OpenGroupware_org_NGMime-10555-1479757534.695300-6------ content-type: text/html; charset=utf-8 content-length: 797 content-transfer-encoding: quoted-printable <html>Ok, i've configured my custom iptable rules with "engine= -config --get IPTablesConfigSiteCustom" on the engine. Now, how do= I apply this on already deployed nodes?<br /><br /><br /><br />Le Dima= nche, Novembre 20, 2016 02:51 EST, Yedidyah Bar David <didi@redhat.c= om> a écrit:<br /> <blockquote>On Fri, Nov 18, 2016 at 1= :42 AM, Claude Durocher<br /><claude.durocher@cptaq.gouv.qc.ca> w= rote:<br />> I've implemented sucessfully a hook to edit the con= figuration of some of my<br />> nics on my ovirt hosts.<br />><br= />> Is there a way to add firewall rules (iptables) with vdsm hooks= ?<br /><br />Please search for 'IPTablesConfigSiteCustom'. Best= ,<br />--<br />Didi</blockquote><br /><br /> </html> ------=_=-_OpenGroupware_org_NGMime-10555-1479757534.695300-6--------
On Mon, Nov 21, 2016 at 9:45 PM, Claude Durocher <claude.durocher@cptaq.gouv.qc.ca> wrote:
Ok, i've configured my custom iptable rules with "engine-config --get IPTablesConfigSiteCustom" on the engine. Now, how do I apply this on already deployed nodes?
Move to maintenance, reinstall? I do not think there is another way. But I also do not think oVirt will overwrite your conf by any other process, so you can also simply do this manually. Didn't try this myself.
Le Dimanche, Novembre 20, 2016 02:51 EST, Yedidyah Bar David <didi@redhat.com> a écrit:
On Fri, Nov 18, 2016 at 1:42 AM, Claude Durocher <claude.durocher@cptaq.gouv.qc.ca> wrote:
I've implemented sucessfully a hook to edit the configuration of some of my nics on my ovirt hosts.
Is there a way to add firewall rules (iptables) with vdsm hooks?
Please search for 'IPTablesConfigSiteCustom'. Best, -- Didi
-- Didi
--Sig_/+=YbNpJkZORJYnjN1s4Qq1M Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 22 Nov 2016 10:56:50 +0200 Yedidyah wrote: YBD> On Mon, Nov 21, 2016 at 9:45 PM, Claude Durocher YBD> <claude.durocher@cptaq.gouv.qc.ca> wrote: YBD> > Ok, i've configured my custom iptable rules with "engine-config --get YBD> > IPTablesConfigSiteCustom" on the engine. Now, how do I apply this on= already YBD> > deployed nodes? =20 YBD>=20 YBD> Move to maintenance, reinstall? YBD>=20 YBD> I do not think there is another way. But I also do not think oVirt YBD> will overwrite your conf by any other process, so you can also simply YBD> do this manually. Didn't try this myself. I seem to recall the engine-config option being added because engine would overwrite iptables config on every upgrade. Robert --=20 Senior Software Engineer @ Parsons --Sig_/+=YbNpJkZORJYnjN1s4Qq1M Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlg0mw8ACgkQ7/fVLLY1mnj7WwCeISdIRiEubaFv6N/aM0PXhzDh CkIAn2md1TwhmTThQilu5Js2EZbtZ3B2 =VAUp -----END PGP SIGNATURE----- --Sig_/+=YbNpJkZORJYnjN1s4Qq1M--
On Tue, Nov 22, 2016 at 9:22 PM, Robert Story <rstory@tislabs.com> wrote:
On Tue, 22 Nov 2016 10:56:50 +0200 Yedidyah wrote: YBD> On Mon, Nov 21, 2016 at 9:45 PM, Claude Durocher YBD> <claude.durocher@cptaq.gouv.qc.ca> wrote: YBD> > Ok, i've configured my custom iptable rules with "engine-config --get YBD> > IPTablesConfigSiteCustom" on the engine. Now, how do I apply this on already YBD> > deployed nodes? YBD> YBD> Move to maintenance, reinstall? YBD> YBD> I do not think there is another way. But I also do not think oVirt YBD> will overwrite your conf by any other process, so you can also simply YBD> do this manually. Didn't try this myself.
I seem to recall the engine-config option being added because engine would overwrite iptables config on every upgrade.
I think you are right, for upgrades done from the engine - not 'yum update'. 'Move to maintenance and reinstall' and 'Upgrade from the engine' are actually almost the exact same thing, from the engine's POV. Thanks for the comment. Best, -- Didi
participants (3)
-
Claude Durocher -
Robert Story -
Yedidyah Bar David