[Engine-devel] Gluster IPTable configuration

David Jaša djasa at redhat.com
Tue Sep 4 09:06:08 UTC 2012


Andrew Cathrow píše v Po 03. 09. 2012 v 17:21 -0400:
> 
> ----- Original Message -----
> > From: "Alon Bar-Lev" <alonbl at redhat.com>
> > To: "Andrew Cathrow" <acathrow at redhat.com>
> > Cc: engine-devel at ovirt.org, "Shireesh Anjal" <sanjal at redhat.com>, "Mike Burns" <mburns at redhat.com>
> > Sent: Monday, September 3, 2012 5:09:34 PM
> > Subject: Re: [Engine-devel] Gluster IPTable configuration
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Andrew Cathrow" <acathrow at redhat.com>
> > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > Cc: engine-devel at ovirt.org, "Shireesh Anjal" <sanjal at redhat.com>,
> > > "Mike Burns" <mburns at redhat.com>
> > > Sent: Monday, September 3, 2012 11:57:57 PM
> > > Subject: Re: [Engine-devel] Gluster IPTable configuration
> > 
> > <snip>
> > 
> > > Right now we just overwrite the existing iptables configuration
> > > with
> > > our own, so if a user already added a rule to their host - eg. for
> > > a
> > > monitoring agent the we stomp over it.
> > > Adding our rules as a custom chain means that we don't need to
> > 
> > Here I lost you... :)
> > 
> > I thought ovirt-engine is the master and ovirt-hypervisor is a slave.
> > 
> > This derives that all management activities of slave is done by
> > master...
> > 
> 
> Let's say I use nagios for my host monitoring.
> I setup a rhel/fedora/*EL host using my standard corporate and include port 5667/5666 for nagios.
> ovirt engine connects to it and blocks nagios.
> 
> While it would be great to have all firewall rules (and other settings) managed from ovirt-engine we are a long way away from that.
> Adding rules rather than overwriting iptables config would allow us not to stomp on the user's existing settings.

This sounds like you want precise feature set of firewalld, just faster.

David

> 
> 
> > There should be no setting at slave that master is not aware of.
> > 
> > This also enables you to duplicate hipervisor, recover configuration
> > or push mass configuration change.
> 
> > 
> > In your above case, this rule for monitoring agent may be added at
> > master repository and pushed to slaves belongs to specific group,
> > just like the gluster case.
> 
> yes, but in the 24 months between now and when we get to implement that feature ......
> 
> > 
> > The template mechanism is what enable you to create a custom
> > configuration per environment.
> 
> > 
> > Using push and not re-integrate derives much simpler and
> > deterministic implementation.
> > 
> > But maybe I did not understand some of the fundamental concepts of
> > the architecture.
> > 
> > Regards,
> > Alon.
> > 
> _______________________________________________
> Engine-devel mailing list
> Engine-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/engine-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24






More information about the Engine-devel mailing list