<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Jan 9, 2018 at 3:25 PM, Peter Hudec <span dir="ltr">&lt;<a href="mailto:phudec@cnc.sk" target="_blank">phudec@cnc.sk</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It&#39;s not a bug as I&#39;m digging.<br></blockquote><div><br></div><div>Very well :-)<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
In logs I found<br></blockquote><div><br></div><div>Which logs?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
2018-01-09 08:23:22,421+0100 DEBUG otopi.context<br>
context.dumpEnvironment:831 ENV NETWORK/firewalldEnable=bool:&#39;<wbr>False&#39;<br>
2018-01-09 08:23:22,422+0100 DEBUG otopi.context<br>
context.dumpEnvironment:831 ENV NETWORK/iptablesEnable=bool:&#39;<wbr>True&#39;<br>
<br>
So how to disable iptables and enable firewalld ?<br></blockquote><div><br></div><div>If host-deploy, then it&#39;s a per-host/per-cluster option you should<br></div><div>be able to choose in the web admin ui.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
        Peter<br>
<span class=""><br>
On 09/01/2018 13:47, Yedidyah Bar David wrote:<br>
&gt; (Adding Ondra for the firewalld stuff. But I think it&#39;s probably<br>
&gt; easier to debug if you open a bug and attach logs there).<br>
&gt;<br>
&gt; On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec &lt;<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a><br>
</span><span class="">&gt; &lt;mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>&gt;&gt; wrote:<br>
&gt;<br>
&gt;     If I run host reinstall with custom firewall rules in<br>
&gt;     /etc/ovirt-engine/ansible/<wbr>ovirt-host-deploy-post-tasks.<wbr>yml the task will<br>
&gt;     fails due the firewalld is not running.<br>
&gt;<br>
&gt;     The reinstall task will disable firewalld and enable iptables-services.<br>
&gt;     I&#39;m little bit confused ;(<br>
&gt;<br>
&gt;     ---<br>
&gt;     - name: Enable additional port on firewalld<br>
&gt;       firewalld:<br>
&gt;         port: &quot;10050/tcp&quot;<br>
&gt;         permanent: yes<br>
&gt;         immediate: yes<br>
&gt;         state: enabled<br>
&gt;<br>
&gt;<br>
&gt;     2018-01-09 13:27:30,103 p=13550 u=ovirt |  included:<br>
&gt;     /etc/ovirt-engine/ansible/<wbr>ovirt-host-deploy-post-tasks.<wbr>yml for<br>
</span>&gt;     <a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a> &lt;<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">http://dipovirt01.cnc.sk</a>&gt;<br>
<span class="">&gt;     2018-01-09 13:27:30,134 p=13550 u=ovirt |  TASK [Enable additional port<br>
&gt;     on firewalld] ******************************<wbr>*******<br>
&gt;     2018-01-09 13:27:32,089 p=13550 u=ovirt |  fatal: [<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a><br>
</span>&gt;     &lt;<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">http://dipovirt01.cnc.sk</a>&gt;]:<br>
<span class="">&gt;     FAILED! =&gt; {&quot;changed&quot;: false, &quot;module_stderr&quot;: &quot;Shared connection to<br>
</span>&gt;     <a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a> &lt;<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">http://dipovirt01.cnc.sk</a>&gt; closed.\r\n&quot;,<br>
<span class="">&gt;     &quot;module_stdout&quot;: &quot;Traceback (most recent<br>
&gt;     call last):\r\n  File<br>
&gt;     \&quot;/tmp/ansible_2Ilnjq/ansible_<wbr>module_firewalld.py\&quot;, line 936, in<br>
&gt;     &lt;module&gt;\r\n    main()\r\n  File<br>
&gt;     \&quot;/tmp/ansible_2Ilnjq/ansible_<wbr>module_firewalld.py\&quot;, line 788, in<br>
&gt;     main\r\n    module.fail(msg=&#39;firewall is not currently running, unable<br>
&gt;     to perform immediate actions without a running firewall<br>
&gt;     daemon&#39;)\r\nAttributeError: &#39;AnsibleModule&#39; object has no attribute<br>
&gt;     &#39;fail&#39;\r\n&quot;, &quot;msg&quot;: &quot;MODULE FAILURE&quot;, &quot;rc&quot;: 0}<br>
&gt;     2018-01-09 13:27:32,095 p=13550 u=ovirt |  PLAY RECAP<br>
&gt;     ******************************<wbr>******************************<wbr>*********<br>
&gt;<br>
&gt;<br>
&gt;     After reinstalation the status of firewalld is<br>
</span>&gt;     [PROD] <a href="mailto:root@dipovirt01.cnc.sk">root@dipovirt01.cnc.sk</a> &lt;mailto:<a href="mailto:root@dipovirt01.cnc.sk">root@dipovirt01.cnc.sk</a><wbr>&gt;:<br>
<span class="">&gt;     /var/log/vdsm # systemctl status firewalld<br>
&gt;     ● firewalld.service - firewalld - dynamic firewall daemon<br>
&gt;        Loaded: loaded (/usr/lib/systemd/system/<wbr>firewalld.service; disabled;<br>
&gt;     vendor preset: enabled)<br>
&gt;        Active: inactive (dead)<br>
&gt;          Docs: man:firewalld(1)<br>
&gt;<br>
&gt;<br>
&gt;     So how could I switch to firewalld? package iptables-service could not<br>
&gt;     be removed due the dependencies.<br>
&gt;<br>
&gt;             Peter<br>
&gt;<br>
&gt;     On 09/01/2018 09:35, Yedidyah Bar David wrote:<br>
&gt;     &gt;<br>
&gt;     &gt;     1) firewalld<br>
&gt;     &gt;     after upgrade the hot server, the i needed to stop firewalld. It seems,<br>
&gt;     &gt;     that, the rules are not generated correctly. The engine was not able to<br>
&gt;     &gt;     connect to the host. How do I could fix it?<br>
&gt;     &gt;<br>
&gt;     &gt;<br>
&gt;     &gt; Please check/share relevant files from /var/log/ovirt-engine/ansible/<br>
&gt;     &gt; and /var/log/ovirt-engine/host-<wbr>deploy/ . Or perhaps file a bug and<br>
&gt;     &gt; attach them there.<br>
&gt;<br>
&gt;<br>
&gt;     --<br>
&gt;     *Peter Hudec*<br>
&gt;     Infraštruktúrny architekt<br>
</span>&gt;     <a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a> &lt;mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>&gt; &lt;mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a><br>
<span class="im HOEnZb">&gt;     &lt;mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>&gt;&gt;<br>
&gt;<br>
&gt;     *CNC, a.s.*<br>
&gt;     Borská 6, 841 04 Bratislava<br>
</span><span class="im HOEnZb">&gt;     Recepcia: <a href="tel:%2B421%202%C2%A0%2035%20000%20100" value="+421235000100">+421 2  35 000 100</a> &lt;tel:%2B421%202%C2%A0%2035%<wbr>20000%20100&gt;<br>
&gt;<br>
&gt;     Mobil:<a href="tel:%2B421%C2%A0905%20997%20203" value="+421905997203">+421 905 997 203</a> &lt;tel:%2B421%C2%A0905%20997%<wbr>20203&gt;<br>
&gt;     *<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a> &lt;<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">http://www.cnc.sk</a>&gt;* &lt;http:///<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a><br>
&gt;     &lt;<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">http://www.cnc.sk</a>&gt;&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; --<br>
&gt; Didi<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">--<br>
*Peter Hudec*<br>
Infraštruktúrny architekt<br>
<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a> &lt;mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>&gt;<br>
<br>
*CNC, a.s.*<br>
Borská 6, 841 04 Bratislava<br>
Recepcia: <a href="tel:%2B421%202%C2%A0%2035%20000%20100" value="+421235000100">+421 2  35 000 100</a><br>
<br>
Mobil:<a href="tel:%2B421%C2%A0905%20997%20203" value="+421905997203">+421 905 997 203</a><br>
*<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a>* &lt;http:///<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a>&gt;<br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Didi<br></div>
</div></div>