[Users] Otopi pre-seeded answers and firewall settings

Tue Mar 25 22:18:44 UTC 2014

Giuseppe,

I should have clarified.  I meant to blacklist the packages only for a
short time, while you add the nodes to the oVirt environment.  Once
everything was set up, you would remove these restrictions and yum install
iptables.  You'd then configure to taste.

Glad to hear of your success with the conf file method, though.

Thanks,
Joshua

On Tue, Mar 25, 2014 at 6:15 PM, Giuseppe Ragusa <
giuseppe.ragusa at hotmail.com> wrote:

> Hi Joshua,
> many thanks for your suggestion which I suppose would work perfectly, but
> I actually want iptables (CentOS 6.5 here, so no firewalld) rules in place
> all the time, but only "MY OWN" iptables rules ;>
>
> Regards,
> Giuseppe
>
> ------------------------------
> Date: Tue, 25 Mar 2014 18:04:04 -0400
> Subject: Re: [Users] Otopi pre-seeded answers and firewall settings
> From: josh at wrale.com
> To: giuseppe.ragusa at hotmail.com
>
> Perhaps you could add the iptables and firewalld packages to yum.conf as
> excludes.  I don't know if this would fail silently, but if so, the engine
> installer would never know.
>
> Thanks,
> Joshua
>
>
> On Tue, Mar 25, 2014 at 5:49 PM, Giuseppe Ragusa <
> giuseppe.ragusa at hotmail.com> wrote:
>
> Hi Didi,
> many thanks for your invaluable help!
>
> I'll try your suggestion
> (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I
> will report back.
>
> By the way: I have a really custom iptables setup (multiple separated
> networks on hypervisor hosts), so I suppose it's best to hand tune firewall
> rules and then leave them alone (I pre-configure them, so the setup
> procedure won't be impeded in its communication needs anyway AND I will
> always guarantee the most stringent filtering possible with default deny
> ecc.).
>
> Many thanks again,
> Giuseppe
>
> ------------------------------
> Date: Tue, 25 Mar 2014 04:05:33 -0400
> From: didi at redhat.com
> To: giuseppe.ragusa at hotmail.com
> CC: users at ovirt.org
> Subject: Re: [Users] Otopi pre-seeded answers and firewall settings
>
> *From: *"Giuseppe Ragusa" <giuseppe.ragusa at hotmail.com>
> *To: *"Yedidyah Bar David" <didi at redhat.com>
> *Cc: *"Users at ovirt.org" <users at ovirt.org>
> *Sent: *Tuesday, March 25, 2014 1:53:20 AM
> *Subject: *RE: [Users] Otopi pre-seeded answers and firewall settings
>
> Hi Didi,
> I found the references to NETWORK/iptablesEnable in my engine logs
> (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work
> after all.
>
> Full logs attached.
>
> I resurrected my Engine by rebooting the (still only) host, then
> restarting ovirt-ha-agent (at startup the agent failed while trying to
> launch vdsm, but I found vdsm running and so tried manually...).
>
>
> OK, so it's host-deploy that's doing that.
> But it's not host-deploy itself - it's the engine that is talking to it,
> asking it to configure iptables.
> I don't know how to make the agent don't do that. I searched a bit the
> sources (which I don't know)
> and didn't find a simple way.
>
> You can, however, try to override this by:
> # mkdir -p /etc/ovirt-host-deploy.conf.d
> # echo '[environment:enforce]'
> > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
> # echo 'NETWORK/iptablesEnable=bool:False'
> >> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf
>
> Never tried that, and not sure it's recommended - if it does work, it
> means that host-deploy will not
> update iptables, but the engine will think it did. So it's better to find
> a way to make the engine not do
> that. Or, better yet, that you'll explain why you need this and somehow
> make the engine do what you want...
> --
> Didi
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140325/51fd4e99/attachment-0001.html>