[ovirt-users] Hosts firewall custom setup

Yedidyah Bar David didi at redhat.com
Mon Feb 26 13:03:54 UTC 2018

On Mon, Feb 26, 2018 at 2:01 PM, Nicolas Ecarnot <nicolas at ecarnot.net> wrote:
> Hello,
> On oVirt, I'm trying to setup custom iptables rules as I'm doing
> since years with engine-config --set IPTablesConfigSiteCustom="blah blah
> blah".
> On my hosts, I can see in my hosts that /etc/sysconfig/iptables does contain
> the correct custom rules I added, but when manually checking with iptables
> -L, I don't see my rules active.
> On my hosts, I see that the iptables services is stopped and disabled, and
> that the firewalld service is up and running.
> That explains why iptables customization has no effect.


IIRC the type of firewall is now set per cluster or something like that, not
sure about the details - adding Ondra.

> In the engine setup, I see that
> /etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf contains :
> OVESETUP_CONFIG/firewallManager=none:None
> I'm confused about this setting : when running engine-setup, I'm not sure to
> understand if answering yes to the question about the firewall will modify
> the engine, the hosts, or all of them?

Only the engine.

> Actually, I'd like my engine to stay with a disabled firewall, but my hosts
> with an active one.

So you should reply 'No' as you did in 'engine-setup', and handle
on the engine after it's set up (upgraded), I think from the ui.

> Is it true to say that this is not an option and I have to answer yes,
> enable the firewall on the engine, allowing the
> OVESETUP_CONFIG/firewallManager option to be set up (to firewalld or
> iptables), thus allowing the spread of this setup towards the hosts?

No, they are unrelated.

Best regards,

More information about the Users mailing list