[ovirt-users] Hosts firewall custom setup
Yedidyah Bar David
didi at redhat.com
Mon Feb 26 13:03:54 UTC 2018
On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas at ecarnot.net> wrote:
> Hello,
>
> On oVirt 4.2.1.7, I'm trying to setup custom iptables rules as I'm doing
> since years with engine-config --set IPTablesConfigSiteCustom="blah blah
> blah".
>
> On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain
> the correct custom rules I added, but when manually checking with iptables
> -L, I don't see my rules active.
>
> On my hosts, I see that the iptables services is stopped and disabled, and
> that the firewalld service is up and running.
>
> That explains why iptables customization has no effect.
Indeed.
IIRC the type of firewall is now set per cluster or something like that, not
sure about the details - adding Ondra.
>
> In the engine setup, I see that
> /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains :
> OVESETUP_CONFIG/firewallManager=none:None
>
> I'm confused about this setting : when running engine-setup, I'm not sure to
> understand if answering yes to the question about the firewall will modify
> the engine, the hosts, or all of them?
Only the engine.
>
> Actually, I'd like my engine to stay with a disabled firewall, but my hosts
> with an active one.
So you should reply 'No' as you did in 'engine-setup', and handle
iptables/firewalld
on the engine after it's set up (upgraded), I think from the ui.
>
> Is it true to say that this is not an option and I have to answer yes,
> enable the firewall on the engine, allowing the
> OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or
> iptables), thus allowing the spread of this setup towards the hosts?
No, they are unrelated.
Best regards,
--
Didi
More information about the Users
mailing list