[Engine-devel] Gluster IPTable configuration
Andrew Cathrow
acathrow at redhat.com
Mon Sep 3 21:21:11 UTC 2012
----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Andrew Cathrow" <acathrow at redhat.com>
> Cc: engine-devel at ovirt.org, "Shireesh Anjal" <sanjal at redhat.com>, "Mike Burns" <mburns at redhat.com>
> Sent: Monday, September 3, 2012 5:09:34 PM
> Subject: Re: [Engine-devel] Gluster IPTable configuration
>
>
>
> ----- Original Message -----
> > From: "Andrew Cathrow" <acathrow at redhat.com>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > Cc: engine-devel at ovirt.org, "Shireesh Anjal" <sanjal at redhat.com>,
> > "Mike Burns" <mburns at redhat.com>
> > Sent: Monday, September 3, 2012 11:57:57 PM
> > Subject: Re: [Engine-devel] Gluster IPTable configuration
>
> <snip>
>
> > Right now we just overwrite the existing iptables configuration
> > with
> > our own, so if a user already added a rule to their host - eg. for
> > a
> > monitoring agent the we stomp over it.
> > Adding our rules as a custom chain means that we don't need to
>
> Here I lost you... :)
>
> I thought ovirt-engine is the master and ovirt-hypervisor is a slave.
>
> This derives that all management activities of slave is done by
> master...
>
Let's say I use nagios for my host monitoring.
I setup a rhel/fedora/*EL host using my standard corporate and include port 5667/5666 for nagios.
ovirt engine connects to it and blocks nagios.
While it would be great to have all firewall rules (and other settings) managed from ovirt-engine we are a long way away from that.
Adding rules rather than overwriting iptables config would allow us not to stomp on the user's existing settings.
> There should be no setting at slave that master is not aware of.
>
> This also enables you to duplicate hipervisor, recover configuration
> or push mass configuration change.
>
> In your above case, this rule for monitoring agent may be added at
> master repository and pushed to slaves belongs to specific group,
> just like the gluster case.
yes, but in the 24 months between now and when we get to implement that feature ......
>
> The template mechanism is what enable you to create a custom
> configuration per environment.
>
> Using push and not re-integrate derives much simpler and
> deterministic implementation.
>
> But maybe I did not understand some of the fundamental concepts of
> the architecture.
>
> Regards,
> Alon.
>
More information about the Devel
mailing list