[ovirt-users] ovirt 4.2 upgrade questions

Peter Hudec phudec at cnc.sk
Tue Jan 9 13:43:13 UTC 2018


thanks. The upgrade is in process. I needed to solve some issues before.

	Peter

On 09/01/2018 14:39, Martin Perina wrote:
> 
> 
> On Tue, Jan 9, 2018 at 2:25 PM, Peter Hudec <phudec at cnc.sk
> <mailto:phudec at cnc.sk>> wrote:
> 
>     It's not a bug as I'm digging.
> 
>     In logs I found
> 
>     2018-01-09 08:23:22,421+0100 DEBUG otopi.context
>     context.dumpEnvironment:831 ENV NETWORK/firewalldEnable=bool:'False'
>     2018-01-09 08:23:22,422+0100 DEBUG otopi.context
>     context.dumpEnvironment:831 ENV NETWORK/iptablesEnable=bool:'True'
> 
>     So how to disable iptables and enable firewalld ?
> 
> 
> ​Hi,
> 
> firewall type is a cluster level option. Please go to Clusters, edit
> selected cluster and change Firewall type to firewalld. After that you
> need to execute Reinstall on all hosts​ in the cluster to switch from
> iptables to firewalld on them.
> 
> Btw, I assume this is upgraded cluster, so please make sure that VDSM
> 4.20 (from oVirt 4.2) is installed on all hosts before making this change.
> 
> Thanks
> 
> Martin
> 
> 
>             Peter
> 
>     On 09/01/2018 13:47, Yedidyah Bar David wrote:
>     > (Adding Ondra for the firewalld stuff. But I think it's probably
>     > easier to debug if you open a bug and attach logs there).
>     >
>     > On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <phudec at cnc.sk
>     <mailto:phudec at cnc.sk>
>     > <mailto:phudec at cnc.sk <mailto:phudec at cnc.sk>>> wrote:
>     >
>     >     If I run host reinstall with custom firewall rules in
>     >     /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml the
>     task will
>     >     fails due the firewalld is not running.
>     >
>     >     The reinstall task will disable firewalld and enable
>     iptables-services.
>     >     I'm little bit confused ;(
>     >
>     >     ---
>     >     - name: Enable additional port on firewalld
>     >       firewalld:
>     >         port: "10050/tcp"
>     >         permanent: yes
>     >         immediate: yes
>     >         state: enabled
>     >
>     >
>     >     2018-01-09 13:27:30,103 p=13550 u=ovirt |  included:
>     >     /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml for
>     >     dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
>     <http://dipovirt01.cnc.sk>
>     >     2018-01-09 13:27:30,134 p=13550 u=ovirt |  TASK [Enable
>     additional port
>     >     on firewalld] *************************************
>     >     2018-01-09 13:27:32,089 p=13550 u=ovirt |  fatal:
>     [dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
>     >     <http://dipovirt01.cnc.sk>]:
>     >     FAILED! => {"changed": false, "module_stderr": "Shared
>     connection to
>     >     dipovirt01.cnc.sk <http://dipovirt01.cnc.sk>
>     <http://dipovirt01.cnc.sk> closed.\r\n",
>     >     "module_stdout": "Traceback (most recent
>     >     call last):\r\n  File
>     >     \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 936, in
>     >     <module>\r\n    main()\r\n  File
>     >     \"/tmp/ansible_2Ilnjq/ansible_module_firewalld.py\", line 788, in
>     >     main\r\n    module.fail(msg='firewall is not currently
>     running, unable
>     >     to perform immediate actions without a running firewall
>     >     daemon')\r\nAttributeError: 'AnsibleModule' object has no
>     attribute
>     >     'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}
>     >     2018-01-09 13:27:32,095 p=13550 u=ovirt |  PLAY RECAP
>     >   
>      *********************************************************************
>     >
>     >
>     >     After reinstalation the status of firewalld is
>     >     [PROD] root at dipovirt01.cnc.sk <mailto:root at dipovirt01.cnc.sk>
>     <mailto:root at dipovirt01.cnc.sk <mailto:root at dipovirt01.cnc.sk>>:
>     >     /var/log/vdsm # systemctl status firewalld
>     >     ● firewalld.service - firewalld - dynamic firewall daemon
>     >        Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
>     disabled;
>     >     vendor preset: enabled)
>     >        Active: inactive (dead)
>     >          Docs: man:firewalld(1)
>     >
>     >
>     >     So how could I switch to firewalld? package iptables-service
>     could not
>     >     be removed due the dependencies.
>     >
>     >             Peter
>     >
>     >     On 09/01/2018 09:35, Yedidyah Bar David wrote:
>     >     >
>     >     >     1) firewalld
>     >     >     after upgrade the hot server, the i needed to stop
>     firewalld. It seems,
>     >     >     that, the rules are not generated correctly. The engine
>     was not able to
>     >     >     connect to the host. How do I could fix it?
>     >     >
>     >     >
>     >     > Please check/share relevant files from
>     /var/log/ovirt-engine/ansible/
>     >     > and /var/log/ovirt-engine/host-deploy/ . Or perhaps file a
>     bug and
>     >     > attach them there.
>     >
>     >
>     >     --
>     >     *Peter Hudec*
>     >     Infraštruktúrny architekt
>     >     phudec at cnc.sk <mailto:phudec at cnc.sk> <mailto:phudec at cnc.sk
>     <mailto:phudec at cnc.sk>> <mailto:phudec at cnc.sk <mailto:phudec at cnc.sk>
>     >     <mailto:phudec at cnc.sk <mailto:phudec at cnc.sk>>>
>     >
>     >     *CNC, a.s.*
>     >     Borská 6, 841 04 Bratislava
>     >     Recepcia: +421 2  35 000 100
>     <tel:%2B421%202%C2%A0%2035%20000%20100>
>     <tel:%2B421%202%C2%A0%2035%20000%20100>
>     >
>     >     Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%20203>
>     >     *www.cnc.sk <http://www.cnc.sk> <http://www.cnc.sk>*
>     <http:///www.cnc.sk <http://www.cnc.sk>
>     >     <http://www.cnc.sk>>
>     >
>     >
>     >
>     >
>     > --
>     > Didi
> 
> 
>     --
>     *Peter Hudec*
>     Infraštruktúrny architekt
>     phudec at cnc.sk <mailto:phudec at cnc.sk> <mailto:phudec at cnc.sk
>     <mailto:phudec at cnc.sk>>
> 
>     *CNC, a.s.*
>     Borská 6, 841 04 Bratislava
>     Recepcia: +421 2  35 000 100 <tel:%2B421%202%C2%A0%2035%20000%20100>
> 
>     Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%20203>
>     *www.cnc.sk <http://www.cnc.sk>* <http:///www.cnc.sk
>     <http://www.cnc.sk>>
> 
>     _______________________________________________
>     Users mailing list
>     Users at ovirt.org <mailto:Users at ovirt.org>
>     http://lists.ovirt.org/mailman/listinfo/users
>     <http://lists.ovirt.org/mailman/listinfo/users>
> 
> 
> 
> 
> -- 
> Martin Perina
> Associate Manager, Software Engineering
> Red Hat Czech s.r.o.


-- 
*Peter Hudec*
Infraštruktúrny architekt
phudec at cnc.sk <mailto:phudec at cnc.sk>

*CNC, a.s.*
Borská 6, 841 04 Bratislava
Recepcia: +421 2  35 000 100

Mobil:+421 905 997 203
*www.cnc.sk* <http:///www.cnc.sk>



More information about the Users mailing list