[Users] Otopi pre-seeded answers and firewall settings

Joshua Dotson josh at wrale.com
Sun Mar 23 18:03:15 EDT 2014 

Giuseppe, et. al

I gave up on my six-server hosted engine install, partly for this reason.
In addition to this problem, I found that I couldn't use a bridge of my own
naming.  Then, trying to associate interfaces with bridges in the web
interface, my hand-tuned bridges were fatally clobbered.  Like, the files I
wrote by hand in /etc/sysconfig/ifcfg-*, bridges, and interfaces (some with
VLANs) alike.  And other things... like the Westmere vs. Ivy Bridge thing.

Anyway, I think what's happening to your install is that iptables on the
host is getting clobbered by the automatic "install" that happens when the
hosted-engine setup script finally contacts the engine the for the first
time.  I'm not sure how to keep this from happening, but it's a place to
start.  And I think it's the reason your setting False didn't help.  By the
way, it took a two hour test for me to learn that even removing the
/etc/sysconfig/iptables file AND stopping AND disabling iptables via
systemctl on both host and engine did nothing to combat this behavior.

Back when I set up 3.0, I saw similar behavior.  At that time though, the
iptables thing wasn't fatal.  I observed here that this overwriting and
enabling/starting of iptables causes the very lest part of the
hosted-engine setup script to fail miserably.  As a result of the engine
not being able to contact the host at the end of its "install" phase, the
H/A configuration is never done.  This is my theory, anyway.

I think oVirt should leave the firewall _completely_ alone and just
document what ports should be open.  I don't think we need that special
line at the bottom of /etc/sysconfig/iptables oVirt puts in there.   I'll
stop rambling now.  :-)  I like oVirt, but getting so far into this that I
have a have two hour turnaround every time I want to test a minor tweak is
just too much.  I think this will get better in time, I hope.  At that
time, maybe I'll try again.

Here's what libvirt has to say about iptables vs. bridges:

"""

The final step is to disable netfilter on the bridge:

 # cat >> /etc/sysctl.conf <<EOF
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 EOF
 # sysctl -p /etc/sysctl.conf

It is recommended to do this for performance and security reasons. See Fedora
bug #512206 <https://bugzilla.redhat.com/512206>. Alternatively you can
configure iptables to allow all traffic to be forwarded across the bridge:

# echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" >
/etc/sysconfig/iptables-forward-bridged
# lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
# service libvirtd reload

"""  source:
http://wiki.libvirt.org/page/Networking#Creating_network_initscripts

You might be interested to know that you can pre-populate vm.conf.in in
/usr/share, before the install.  Here was mine:

vmId=@VM_UUID@

memSize=@MEM_SIZE@

display=@CONSOLE_TYPE@

devices={index:2,iface:ide,address:{ controller:0, target:0,unit:0,
bus:1, type:drive},specParams:{},readonly:true,deviceId:@CDROM_UUID@,path:@CDROM@,device:cdrom,shared:false,type:disk at BOOT_CDROM@}

devices={index:0,iface:virtio,format:raw,poolID:@SP_UUID@,volumeID:@VOL_UUID@,imageID:@IMG_UUID@,specParams:{},readonly:false,domainID:@SD_UUID@,optional:false,deviceId:@IMG_UUID@,address:{bus:0x00,
slot:0x06, domain:0x0000, type:pci,
function:0x0},device:disk,shared:exclusive,propagateErrors:off,type:disk at BOOT_DISK@}

devices={device:scsi,model:virtio-scsi,type:controller}

devices={device:console,specParams:{},type:console,deviceId:@CONSOLE_UUID@,alias:console0}

vmName=@NAME@

spiceSecureChannels=smain,sdisplay,sinputs,scursor,splayback,srecord,ssmartcard,susbredir

smp=@VCPUS@

cpuType=@CPU_TYPE@

emulatedMachine=@EMULATED_MACHINE@

devices={nicModel:pv,macAddr:00:16:3e:3d:78:10,linkActive:true,network:brbaseboard,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf10,address:{bus:0x01,
slot:0x01, domain:0x0000, type:pci,
function:0x0},device:bridge,type:interface}

devices={nicModel:pv,macAddr:@MAC_ADDR@,linkActive:true,network:@BRIDGE@,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:@NIC_UUID@,address:{bus:0x01,
slot:0x02, domain:0x0000, type:pci,
function:0x0},device:bridge,type:interface at BOOT_PXE@}

devices={nicModel:pv,macAddr:00:16:3e:3d:78:30,linkActive:true,network:brstorage,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf30,address:{bus:0x01,
slot:0x03, domain:0x0000, type:pci,
function:0x0},device:bridge,type:interface}

devices={nicModel:pv,macAddr:00:16:3e:3d:78:40,linkActive:true,network:brcompute,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf40,address:{bus:0x01,
slot:0x04, domain:0x0000, type:pci,
function:0x0},device:bridge,type:interface}

devices={nicModel:pv,macAddr:00:16:3e:3d:78:00,linkActive:true,network:brpublic,filter:vdsm-no-mac-spoofing,specParams:{},deviceId:ab3f9ae9-1d1b-432e-997d-f3458f89cf00,address:{bus:0x01,
slot:0x5, domain:0x0000,
type:pci,function:0x0},device:bridge,type:interface}


Here's my answers file for the hosted-engine script  (This was a version
where I was testing manual selection of iptables=false):

[environment:default]
OVEHOSTED_NETWORK/bridgeIf=str:p1p1
OVEHOSTED_NETWORK/bridgeName=str:brinternal
OVEHOSTED_NETWORK/fqdn=str:ovirt-engine-n1.redacted.com
OVEHOSTED_NETWORK/gateway=str:55.55.55.1
OVEHOSTED_NOTIF/destEmail=str:root at localhost
OVEHOSTED_NOTIF/smtpPort=str:25
OVEHOSTED_NOTIF/smtpServer=str:localhost
OVEHOSTED_NOTIF/sourceEmail=str:root at localhost
OVEHOSTED_STORAGE/connectionUUID=str:0f639e4f-8b4e-4c97-aa34-79e71ccc615a
OVEHOSTED_STORAGE/domainType=str:nfs3
OVEHOSTED_STORAGE/imgSizeGB=str:64
OVEHOSTED_STORAGE/imgUUID=str:63121632-e3b6-42c1-829d-8ebc37a6e6a6
OVEHOSTED_STORAGE/sdUUID=str:4de7efd5-39fa-46c1-9116-53fd34d13630
OVEHOSTED_STORAGE/spUUID=str:0afa6614-c6d2-4390-b2e8-8efdf19a7e2b
OVEHOSTED_STORAGE/storageDatacenterName=str:dc_ssd-vol-ovirt-engine-n001
OVEHOSTED_STORAGE/storageDomainConnection=str:10.30.3.9:/ssd-vol-ovirt-engine-n001
OVEHOSTED_STORAGE/storageDomainName=str:sd_ssd-vol-ovirt-engine-n001
OVEHOSTED_STORAGE/volUUID=str:7d512edc-d939-4abe-bfb3-c3828fad7b3c
OVEHOSTED_VDSM/caSubject=str:/C=EN/L=Test/O=Test/CN=TestCA
OVEHOSTED_VDSM/consoleType=str:vnc
OVEHOSTED_VDSM/cpu=str:model_Westmere
OVEHOSTED_VDSM/pkiSubject=str:/C=EN/L=Test/O=Test/CN=Test
OVEHOSTED_VDSM/spicePkiSubject=str:C=EN, L=Test, O=Test, CN=Test
OVEHOSTED_VM/cdromUUID=str:f68ce9dc-51a7-43d7-aff3-5c57f08c5ff1
OVEHOSTED_VM/consoleUUID=str:01667bb2-cc81-4e09-b751-af356ae44136
OVEHOSTED_VM/emulatedMachine=str:pc
OVEHOSTED_VM/nicUUID=str:ab3f9ae9-1d1b-432e-997d-f3458f89cf20
OVEHOSTED_VM/ovfArchive=none:None
OVEHOSTED_VM/vmBoot=str:cdrom
OVEHOSTED_VM/vmCDRom=str:/opt/iso/Fedora-19-x86_64-DVD.iso
OVEHOSTED_VM/vmMACAddr=str:00:16:3e:3d:78:20
OVEHOSTED_VM/vmMemSizeMB=str:8192
OVEHOSTED_VM/vmUUID=str:ad0a46d7-3974-4511-a341-7a6def000cbb
OVEHOSTED_VM/vmVCpus=str:2


Thanks,
Joshua


On Sun, Mar 23, 2014 at 4:44 PM, Giuseppe Ragusa <
giuseppe.ragusa at hotmail.com> wrote:

> Hi all,
> I'm trying to automate as much as possible of ovirt-hosted-engine-setup
> and engine-setup by means of otopi answer files passed in using
> "--config-append=filename.conf".
>
> I succeded in forcing engine-setup to leave my iptables settings alone
> with:
>
> OVESETUP_CONFIG/firewallManager=str:iptables
> OVESETUP_CONFIG/updateFirewall=bool:False
>
> but ovirt-hosted-engine-setup still modified my iptables settings even
> with the following options:
>
> OVEHOSTED_NETWORK/firewallManager=str:iptables
> OVEHOSTED_NETWORK/iptablesEnable=bool:False
>
> Maybe I used the wrong option (deduced by looking inside source code).
>
> Does anybody have any hint/suggestion?
>
> Many thanks in advance,
> Giuseppe
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140323/ebe8d46c/attachment.html>

More information about the Users mailing list