[ovirt-users] host upgrade from ovirt manager and custom iptables rules

Moti Asayag masayag at redhat.com
Fri Jun 20 05:34:21 UTC 2014 


----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Moti Asayag" <masayag at redhat.com>
> Cc: "Jiří Sléžka" <jiri.slezka at slu.cz>, users at ovirt.org
> Sent: Friday, June 20, 2014 1:19:25 AM
> Subject: Re: [ovirt-users] host upgrade from ovirt manager and custom iptables rules
> 
> 
> 
> ----- Original Message -----
> > From: "Moti Asayag" <masayag at redhat.com>
> > To: "Jiří Sléžka" <jiri.slezka at slu.cz>, "Alon Bar-Lev" <abarlev at redhat.com>
> > Cc: users at ovirt.org
> > Sent: Friday, June 20, 2014 1:12:58 AM
> > Subject: Re: [ovirt-users] host upgrade from ovirt manager and custom
> > iptables rules
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Jiří Sléžka" <jiri.slezka at slu.cz>
> > > To: "Moti Asayag" <masayag at redhat.com>
> > > Cc: users at ovirt.org
> > > Sent: Thursday, June 19, 2014 3:25:49 PM
> > > Subject: Re: [ovirt-users] host upgrade from ovirt manager and custom
> > > iptables rules
> > > 
> > > > ----- Original Message -----
> > > >> From: "Jiří Sléžka" <jiri.slezka at slu.cz>
> > > >> To: users at ovirt.org
> > > >> Sent: Wednesday, June 18, 2014 8:12:09 PM
> > > >> Subject: [ovirt-users] host upgrade from ovirt manager and custom
> > > >> iptables
> > > >> 	rules
> > > >>
> > > >> Hello all,
> > > >>
> > > >> is there any way to make custom iptables rules persistent during host
> > > >> upgrade? I have for example zabbix agents installed on all hosts and
> > > >> thus iptables rule allowing connections from our zabbix server. Sadly
> > > >> I
> > > >> have to manually restore iptables backup after host upgrade (initiated
> > > >> from oVirt manager).
> > > >>
> > > >
> > > > This should be achievable by defining the iptables rules you wish to
> > > > use
> > > > when [re]installing using the engine-config tool:
> > > 
> > > thanks a lot for reply
> > > 
> > > > 1. Check the existing iptables rules:
> > > > sudo engine-config -g IPTablesConfig
> > > 
> > > this displays whole iptables template. Interesting thing is that there
> > > is a variable @CUSTOM_RULES at . Maybe custom rules could be defined this
> > > way?
> > > 
> > 
> > Adding Alon to reply on @CUSTOM_RULES@
> 
> These are to be replaced with gluster specific or virt specific or both, see
> IPTablesConfigForVirt, IPTablesConfigForGluster.
> 
> I must note that there is no real support for manual modification of the
> iptables rules, as once you change it, you do not enjoy future product
> updates, such as upcoming kdump fence listener daemon.
> 
> However, moti, we can add another vdc config for user defined rules, it
> should be sufficient in most cases.

Sounds reasonable.

Jiri, would you like to open RFE for it ?

> 
> > 
> > > >
> > > > 2. Define the desired iptables:
> > > > sudo engine-config -s IPTablesConfig="Your rules"
> > > 
> > > I entered...
> > > 
> > > engine-config -s IPTablesConfig="-A INPUT -p tcp -m state --state NEW -m
> > > tcp -s xx.xx.xx.xx --dport 10050 -j ACCEPT"
> > > 
> > > ...and it looks like this overwrite entire IPTablesConfig template...
> > > 
> > > > 3. Verify the changes
> > > > sudo engine-config -g IPTablesConfig
> > > 
> > > ...because this displays only just my one line above.
> > > 
> > > I have copy of default template but I have no idea how to set this
> > > variable with multi line text. I tried inserting \n but it is not
> > > converted to newlines. Any ideas?
> > 
> > to me i worked by pasting the file content in the command line:
> > engine-config -s IPTablesConfig=" <paste multi-line content>"
> > 
> > > 
> > > Btw. these variables are stored in database?
> > 
> > Yes, in vdc_options table:
> > 
> > select * from vdc_options where option_name = 'IPTablesConfig';
> > 
> > > 
> > > 
> > > Thanks in advance,
> > > 
> > > Jiri
> > > 
> > > 
> > > 
> > > >
> > > > 4. Restart the engine for changes to take effect
> > > >
> > > > 5. Reinstall the host and verify the iptables rule.
> > > >
> > > >> And another question I have always wanted to ask... It looks like host
> > > >> upgrade is upgrading just vdsm components and no others virtualization
> > > >> stuff
> > > >>
> > > >> this was updatet after clicking to "host upgrade"
> > > >>
> > > >> Jun 18 18:21:38 Updated: iproute-2.6.32-32.el6_5.x86_64
> > > >> Jun 18 18:21:59 Installed:
> > > >> vdsm-python-zombiereaper-4.14.7-3.el6ev.noarch
> > > >> Jun 18 18:21:59 Updated: vdsm-python-4.14.7-3.el6ev.x86_64
> > > >> Jun 18 18:21:59 Updated: vdsm-xmlrpc-4.14.7-3.el6ev.noarch
> > > >> Jun 18 18:21:59 Updated: vdsm-cli-4.14.7-3.el6ev.noarch
> > > >> Jun 18 18:22:26 Updated: vdsm-4.14.7-3.el6ev.x86_64
> > > >> Jun 18 18:22:27 Updated:
> > > >> 2:qemu-kvm-rhev-tools-0.12.1.2-2.415.el6_5.10.x86_64
> > > >>
> > > >> and after that I run yum update and updated this components (honestly
> > > >> this one was rhev host but ovirt behave the same)
> > > >>
> > > >> Jun 18 18:26:59 Updated: selinux-policy-3.7.19-231.el6_5.3.noarch
> > > >> Jun 18 18:27:03 Updated: tzdata-2014d-1.el6.noarch
> > > >> Jun 18 18:27:10 Updated: glibc-2.12-1.132.el6_5.2.x86_64
> > > >> Jun 18 18:27:22 Updated: glibc-common-2.12-1.132.el6_5.2.x86_64
> > > >> Jun 18 18:27:22 Updated: audit-libs-2.2-4.el6_5.x86_64
> > > >> Jun 18 18:27:22 Updated: libxml2-2.7.6-14.el6_5.1.x86_64
> > > >> Jun 18 18:27:22 Updated: libcurl-7.19.7-37.el6_5.3.x86_64
> > > >> Jun 18 18:27:23 Updated:
> > > >> 2:qemu-img-rhev-0.12.1.2-2.415.el6_5.10.x86_64
> > > >> Jun 18 18:27:23 Updated: libtasn1-2.3-6.el6_5.x86_64
> > > >> Jun 18 18:27:23 Updated: gnutls-2.8.5-14.el6_5.x86_64
> > > >> Jun 18 18:27:25 Updated: openssl-1.0.1e-16.el6_5.14.x86_64
> > > >> Jun 18 18:27:25 Updated: spice-server-0.12.4-6.el6_5.2.x86_64
> > > >> Jun 18 18:27:25 Updated: gnutls-utils-2.8.5-14.el6_5.x86_64
> > > >> Jun 18 18:27:25 Updated: pm-utils-1.2.5-10.el6_5.1.x86_64
> > > >> Jun 18 18:27:28 Updated: libvirt-client-0.10.2-29.el6_5.9.x86_64
> > > >> Jun 18 18:27:30 Updated: libvirt-0.10.2-29.el6_5.9.x86_64
> > > >> Jun 18 18:27:30 Updated: libvirt-python-0.10.2-29.el6_5.9.x86_64
> > > >> Jun 18 18:27:30 Updated: mom-0.4.0-1.el6ev.noarch
> > > >> Jun 18 18:27:30 Updated: libvirt-lock-sanlock-0.10.2-29.el6_5.9.x86_64
> > > >> Jun 18 18:27:32 Updated:
> > > >> 2:qemu-kvm-rhev-0.12.1.2-2.415.el6_5.10.x86_64
> > > >> Jun 18 18:27:32 Updated: python-rhsm-1.9.7-1.el6_5.x86_64
> > > >> Jun 18 18:27:32 Updated: curl-7.19.7-37.el6_5.3.x86_64
> > > >> Jun 18 18:27:33 Updated: libxml2-python-2.7.6-14.el6_5.1.x86_64
> > > >> Jun 18 18:27:33 Updated: audit-libs-python-2.2-4.el6_5.x86_64
> > > >> Jun 18 18:27:33 Updated: audit-2.2-4.el6_5.x86_64
> > > >> Jun 18 18:27:33 Updated: mdadm-3.2.6-7.el6_5.2.x86_64
> > > >> Jun 18 18:27:33 Updated: python-cpopen-1.3-2.el6_5.x86_64
> > > >> Jun 18 18:28:30 Updated:
> > > >> selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
> > > >> Jun 18 18:28:30 Updated: python-pthreading-0.1.3-1.el6ev.noarch
> > > >>
> > > >>
> > > >> I believe qemu-img-rhev, spice-server, libvirt, mom,... are important
> > > >> components too. Should not be upgraded as well?
> > > >>
> > > >>
> > > >> Thanks for clarification,
> > > >>
> > > >> Jiri
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> Users mailing list
> > > >> Users at ovirt.org
> > > >> http://lists.ovirt.org/mailman/listinfo/users
> > > >>
> > > 
> > > 
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
>

More information about the Users mailing list