[Engine-devel] Gluster IPTable configuration

Andrew Cathrow acathrow at redhat.com
Mon Sep 3 21:21:11 UTC 2012



----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Andrew Cathrow" <acathrow at redhat.com>
> Cc: engine-devel at ovirt.org, "Shireesh Anjal" <sanjal at redhat.com>, "Mike Burns" <mburns at redhat.com>
> Sent: Monday, September 3, 2012 5:09:34 PM
> Subject: Re: [Engine-devel] Gluster IPTable configuration
> 
> 
> 
> ----- Original Message -----
> > From: "Andrew Cathrow" <acathrow at redhat.com>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > Cc: engine-devel at ovirt.org, "Shireesh Anjal" <sanjal at redhat.com>,
> > "Mike Burns" <mburns at redhat.com>
> > Sent: Monday, September 3, 2012 11:57:57 PM
> > Subject: Re: [Engine-devel] Gluster IPTable configuration
> 
> <snip>
> 
> > Right now we just overwrite the existing iptables configuration
> > with
> > our own, so if a user already added a rule to their host - eg. for
> > a
> > monitoring agent the we stomp over it.
> > Adding our rules as a custom chain means that we don't need to
> 
> Here I lost you... :)
> 
> I thought ovirt-engine is the master and ovirt-hypervisor is a slave.
> 
> This derives that all management activities of slave is done by
> master...
> 

Let's say I use nagios for my host monitoring.
I setup a rhel/fedora/*EL host using my standard corporate and include port 5667/5666 for nagios.
ovirt engine connects to it and blocks nagios.

While it would be great to have all firewall rules (and other settings) managed from ovirt-engine we are a long way away from that.
Adding rules rather than overwriting iptables config would allow us not to stomp on the user's existing settings.


> There should be no setting at slave that master is not aware of.
> 
> This also enables you to duplicate hipervisor, recover configuration
> or push mass configuration change.

> 
> In your above case, this rule for monitoring agent may be added at
> master repository and pushed to slaves belongs to specific group,
> just like the gluster case.

yes, but in the 24 months between now and when we get to implement that feature ......

> 
> The template mechanism is what enable you to create a custom
> configuration per environment.

> 
> Using push and not re-integrate derives much simpler and
> deterministic implementation.
> 
> But maybe I did not understand some of the fundamental concepts of
> the architecture.
> 
> Regards,
> Alon.
> 



More information about the Devel mailing list