[Users] Otopi pre-seeded answers and firewall settings

Giuseppe Ragusa giuseppe.ragusa at hotmail.com
Tue Mar 25 22:09:44 UTC 2014 

Hi Didi,
I can confirm that using both an ovhe-answers.conf directive:
OVEHOSTED_NETWORK/firewallManager=str:nonexistent

and an /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf with:
[environment:enforce]
NETWORK/iptablesEnable=bool:False

results in "ovirt-hosted-engine-setup --config-append=ovhe-answers.conf" leaving iptables rules untouched while adding the second hypervisor host to an already deployed self-hosted-engine with one physical host.

Many thanks again,
Giuseppe

PS: is there any difference in using "ovirt-hosted-engine-setup" vs. "hosted-engine --deploy" ?

From: giuseppe.ragusa at hotmail.com
To: didi at redhat.com
Date: Tue, 25 Mar 2014 22:49:36 +0100
CC: users at ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings




Hi Didi,
many thanks for your invaluable help!

I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I will report back.

By the way: I have a really custom iptables setup (multiple separated networks on hypervisor hosts), so I suppose it's best to hand tune firewall rules and then leave them alone (I pre-configure them, so the setup procedure won't be impeded in its communication needs anyway AND I will always guarantee the most stringent filtering possible with default deny ecc.).

Many thanks again,
Giuseppe

Date: Tue, 25 Mar 2014 04:05:33 -0400
From: didi at redhat.com
To: giuseppe.ragusa at hotmail.com
CC: users at ovirt.org
Subject: Re: [Users] Otopi pre-seeded answers and firewall settings

From: "Giuseppe Ragusa" <giuseppe.ragusa at hotmail.com>
To: "Yedidyah Bar David" <didi at redhat.com>
Cc: "Users at ovirt.org" <users at ovirt.org>
Sent: Tuesday, March 25, 2014 1:53:20 AM
Subject: RE: [Users] Otopi pre-seeded answers and firewall settings

Hi Didi,
I found the references to NETWORK/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work after all.

Full logs attached.

I resurrected my Engine by rebooting the (still only) host, then restarting ovirt-ha-agent (at startup the agent failed while trying to launch vdsm, but I found vdsm running and so tried manually...).
OK, so it's host-deploy that's doing that.But it's not host-deploy itself - it's the engine that is talking to it, asking it to configure iptables.I don't know how to make the agent don't do that. I searched a bit the sources (which I don't know)and didn't find a simple way.
You can, however, try to override this by:# mkdir -p /etc/ovirt-host-deploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf# echo 'NETWORK/iptablesEnable=bool:False' >> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
Never tried that, and not sure it's recommended - if it does work, it means that host-deploy will notupdate iptables, but the engine will think it did. So it's better to find a way to make the engine not dothat. Or, better yet, that you'll explain why you need this and somehow make the engine do what you want...-- Didi
 		 	   		  

_______________________________________________
Users mailing list
Users at ovirt.org
http://lists.ovirt.org/mailman/listinfo/users 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140325/4aceb257/attachment-0001.html>

More information about the Users mailing list