[ovirt-users] ovirt 4.2 upgrade questions
Peter Hudec
phudec at cnc.sk
Tue Jan 9 13:43:13 UTC 2018
thanks. The upgrade is in process. I needed to solve some issues before.
Peter
On 09/01/2018 14:39, Martin Perina wrote:
>
>
> On Tue, Jan 9, 2018 at 2:25 PM, Peter Hudec <phudec at cnc.sk
> <mailto:phudec at cnc.sk>> wrote:
>
> It's not a bug as I'm digging.
>
> In logs I found
>
> 2018-01-09 08:23:22,421+0100 DEBUG otopi.context
> context.dumpEnvironment:831 ENV NETWORK/firewalldEnable=bool:'False'
> 2018-01-09 08:23:22,422+0100 DEBUG otopi.context
> context.dumpEnvironment:831 ENV NETWORK/iptablesEnable=bool:'True'
>
> So how to disable iptables and enable firewalld ?
>
>
> Hi,
>
> firewall type is a cluster level option. Please go to Clusters, edit
> selected cluster and change Firewall type to firewalld. After that you
> need to execute Reinstall on all hosts in the cluster to switch from
> iptables to firewalld on them.
>
> Btw, I assume this is upgraded cluster, so please make sure that VDSM
> 4.20 (from oVirt 4.2) is installed on all hosts before making this change.
>
> Thanks
>
> Martin
>
>
> Peter
>
> On 09/01/2018 13:47, Yedidyah Bar David wrote:
> > (Adding Ondra for the firewalld stuff. But I think it's probably
> > easier to debug if you open a bug and attach logs there).
> >
> > On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <phudec at cnc.sk
> <mailto:phudec at cnc.sk>
> > <mailto:phudec at cnc.sk <mailto:phudec at cnc.sk>>> wrote:
> >
> > If I run host reinstall with custom firewall rules in
> > /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml the
> task will
> > fails due the firewalld is not running.
> >
> > The reinstall task will disable firewalld and enable
> iptables-services.
> > I'm little bit confused ;(
> >
> > ---
> > - name: Enable additional port on firewalld
> > firewalld:
> > port: "10050/tcp"
> > permanent: yes
> > immediate: yes
> > state: enabled
> >
> >
> > 2018-01-09 13:27:30,103 p=13550 u=ovirt | included:
> > /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml for
> > dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
> <http://dipovirt01.cnc.sk>
> > 2018-01-09 13:27:30,134 p=13550 u=ovirt | TASK [Enable
> additional port
> > on firewalld] *************************************
> > 2018-01-09 13:27:32,089 p=13550 u=ovirt | fatal:
> [dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
> > <http://dipovirt01.cnc.sk>]:
> > FAILED! => {"changed": false, "module_stderr": "Shared
> connection to
> > dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
> <http://dipovirt01.cnc.sk> closed.\r\n",
> > "module_stdout": "Traceback (most recent
> > call last):\r\n File
> > \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 936, in
> > <module>\r\n main()\r\n File
> > \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 788, in
> > main\r\n module.fail(msg='firewall is not currently
> running, unable
> > to perform immediate actions without a running firewall
> > daemon')\r\nAttributeError: 'AnsibleModule' object has no
> attribute
> > 'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}
> > 2018-01-09 13:27:32,095 p=13550 u=ovirt | PLAY RECAP
> >
> *********************************************************************
> >
> >
> > After reinstalation the status of firewalld is
> > [PROD] root at dipovirt01.cnc.sk <mailto:root at dipovirt01.cnc.sk>
> <mailto:root at dipovirt01.cnc.sk <mailto:root at dipovirt01.cnc.sk>>:
> > /var/log/vdsm # systemctl status firewalld
> > ● firewalld.service - firewalld - dynamic firewall daemon
> > Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
> disabled;
> > vendor preset: enabled)
> > Active: inactive (dead)
> > Docs: man:firewalld(1)
> >
> >
> > So how could I switch to firewalld? package iptables-service
> could not
> > be removed due the dependencies.
> >
> > Peter
> >
> > On 09/01/2018 09:35, Yedidyah Bar David wrote:
> > >
> > > 1) firewalld
> > > after upgrade the hot server, the i needed to stop
> firewalld. It seems,
> > > that, the rules are not generated correctly. The engine
> was not able to
> > > connect to the host. How do I could fix it?
> > >
> > >
> > > Please check/share relevant files from
> /var/log/ovirt-engine/ansible/
> > > and /var/log/ovirt-engine/host-deploy/ . Or perhaps file a
> bug and
> > > attach them there.
> >
> >
> > --
> > *Peter Hudec*
> > Infraštruktúrny architekt
> > phudec at cnc.sk <mailto:phudec at cnc.sk> <mailto:phudec at cnc.sk
> <mailto:phudec at cnc.sk>> <mailto:phudec at cnc.sk <mailto:phudec at cnc.sk>
> > <mailto:phudec at cnc.sk <mailto:phudec at cnc.sk>>>
> >
> > *CNC, a.s.*
> > Borská 6, 841 04 Bratislava
> > Recepcia: +421 2 35 000 100
> <tel:%2B421%202%C2%A0%2035%20000%20100>
> <tel:%2B421%202%C2%A0%2035%20000%20100>
> >
> > Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%20203>
> > *www.cnc.sk <http://www.cnc.sk> <http://www.cnc.sk>*
> <http:///www.cnc.sk <http://www.cnc.sk>
> > <http://www.cnc.sk>>
> >
> >
> >
> >
> > --
> > Didi
>
>
> --
> *Peter Hudec*
> Infraštruktúrny architekt
> phudec at cnc.sk <mailto:phudec at cnc.sk> <mailto:phudec at cnc.sk
> <mailto:phudec at cnc.sk>>
>
> *CNC, a.s.*
> Borská 6, 841 04 Bratislava
> Recepcia: +421 2 35 000 100 <tel:%2B421%202%C2%A0%2035%20000%20100>
>
> Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%20203>
> *www.cnc.sk <http://www.cnc.sk>* <http:///www.cnc.sk
> <http://www.cnc.sk>>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org <mailto:Users at ovirt.org>
> http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
>
>
>
>
> --
> Martin Perina
> Associate Manager, Software Engineering
> Red Hat Czech s.r.o.
--
*Peter Hudec*
Infraštruktúrny architekt
phudec at cnc.sk <mailto:phudec at cnc.sk>
*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2 35 000 100
Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>
More information about the Users
mailing list