<div dir="ltr"><div>(Adding Ondra for the firewalld stuff. But I think it's probably<br></div>easier to debug if you open a bug and attach logs there).<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <span dir="ltr"><<a href="mailto:phudec@cnc.sk" target="_blank">phudec@cnc.sk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If I run host reinstall with custom firewall rules in<br>
/etc/ovirt-engine/ansible/<wbr>ovirt-host-deploy-post-tasks.<wbr>yml the task will<br>
fails due the firewalld is not running.<br>
<br>
The reinstall task will disable firewalld and enable iptables-services.<br>
I'm little bit confused ;(<br>
<br>
---<br>
- name: Enable additional port on firewalld<br>
firewalld:<br>
port: "10050/tcp"<br>
permanent: yes<br>
immediate: yes<br>
state: enabled<br>
<br>
<br>
2018-01-09 13:27:30,103 p=13550 u=ovirt | included:<br>
/etc/ovirt-engine/ansible/<wbr>ovirt-host-deploy-post-tasks.<wbr>yml for<br>
<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a><br>
2018-01-09 13:27:30,134 p=13550 u=ovirt | TASK [Enable additional port<br>
on firewalld] ******************************<wbr>*******<br>
2018-01-09 13:27:32,089 p=13550 u=ovirt | fatal: [<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a>]:<br>
FAILED! => {"changed": false, "module_stderr": "Shared connection to<br>
<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a> closed.\r\n", "module_stdout": "Traceback (most recent<br>
call last):\r\n File<br>
\"/tmp/ansible_2Ilnjq/ansible_<wbr>module_firewalld.py\", line 936, in<br>
<module>\r\n main()\r\n File<br>
\"/tmp/ansible_2Ilnjq/ansible_<wbr>module_firewalld.py\", line 788, in<br>
main\r\n module.fail(msg='firewall is not currently running, unable<br>
to perform immediate actions without a running firewall<br>
daemon')\r\nAttributeError: 'AnsibleModule' object has no attribute<br>
'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}<br>
2018-01-09 13:27:32,095 p=13550 u=ovirt | PLAY RECAP<br>
******************************<wbr>******************************<wbr>*********<br>
<br>
<br>
After reinstalation the status of firewalld is<br>
[PROD] <a href="mailto:root@dipovirt01.cnc.sk">root@dipovirt01.cnc.sk</a>: /var/log/vdsm # systemctl status firewalld<br>
● firewalld.service - firewalld - dynamic firewall daemon<br>
Loaded: loaded (/usr/lib/systemd/system/<wbr>firewalld.service; disabled;<br>
vendor preset: enabled)<br>
Active: inactive (dead)<br>
Docs: man:firewalld(1)<br>
<br>
<br>
So how could I switch to firewalld? package iptables-service could not<br>
be removed due the dependencies.<br>
<span class="im HOEnZb"><br>
Peter<br>
<br>
On 09/01/2018 09:35, Yedidyah Bar David wrote:<br>
><br>
</span><span class="im HOEnZb">> 1) firewalld<br>
> after upgrade the hot server, the i needed to stop firewalld. It seems,<br>
> that, the rules are not generated correctly. The engine was not able to<br>
> connect to the host. How do I could fix it?<br>
><br>
><br>
> Please check/share relevant files from /var/log/ovirt-engine/ansible/<br>
> and /var/log/ovirt-engine/host-<wbr>deploy/ . Or perhaps file a bug and<br>
> attach them there.<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">--<br>
*Peter Hudec*<br>
Infraštruktúrny architekt<br>
<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a> <mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>><br>
<br>
*CNC, a.s.*<br>
Borská 6, 841 04 Bratislava<br>
Recepcia: <a href="tel:%2B421%202%C2%A0%2035%20000%20100" value="+421235000100">+421 2 35 000 100</a><br>
<br>
Mobil:<a href="tel:%2B421%C2%A0905%20997%20203" value="+421905997203">+421 905 997 203</a><br>
*<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a>* <http:///<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a>><br>
<br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Didi<br></div>
</div></div></div></div>