<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 9, 2018 at 2:25 PM, Peter Hudec <span dir="ltr"><<a href="mailto:phudec@cnc.sk" target="_blank">phudec@cnc.sk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It's not a bug as I'm digging.<br>
<br>
In logs I found<br>
<br>
2018-01-09 08:23:22,421+0100 DEBUG otopi.context<br>
context.dumpEnvironment:831 ENV NETWORK/firewalldEnable=bool:'<wbr>False'<br>
2018-01-09 08:23:22,422+0100 DEBUG otopi.context<br>
context.dumpEnvironment:831 ENV NETWORK/iptablesEnable=bool:'<wbr>True'<br>
<br>
So how to disable iptables and enable firewalld ?<br></blockquote><div><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">Hi,</div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">firewall type is a cluster level option. Please go to Clusters, edit selected cluster and change Firewall type to firewalld. After that you need to execute Reinstall on all hosts in the cluster to switch from iptables to firewalld on them.</div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">Btw, I assume this is upgraded cluster, so please make sure that VDSM 4.20 (from oVirt 4.2) is installed on all hosts before making this change.</div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">Thanks</div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default">Martin</div><div style="font-family:arial,helvetica,sans-serif" class="gmail_default"><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Peter<br>
<br>
On 09/01/2018 13:47, Yedidyah Bar David wrote:<br>
> (Adding Ondra for the firewalld stuff. But I think it's probably<br>
> easier to debug if you open a bug and attach logs there).<br>
><br>
> On Tue, Jan 9, 2018 at 2:34 PM, Peter Hudec <<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a><br>
> <mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>>> wrote:<br>
><br>
> If I run host reinstall with custom firewall rules in<br>
> /etc/ovirt-engine/ansible/<wbr>ovirt-host-deploy-post-tasks.<wbr>yml the task will<br>
> fails due the firewalld is not running.<br>
><br>
> The reinstall task will disable firewalld and enable iptables-services.<br>
> I'm little bit confused ;(<br>
><br>
> ---<br>
> - name: Enable additional port on firewalld<br>
> firewalld:<br>
> port: "10050/tcp"<br>
> permanent: yes<br>
> immediate: yes<br>
> state: enabled<br>
><br>
><br>
> 2018-01-09 13:27:30,103 p=13550 u=ovirt | included:<br>
> /etc/ovirt-engine/ansible/<wbr>ovirt-host-deploy-post-tasks.<wbr>yml for<br>
> <a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a> <<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">http://dipovirt01.cnc.sk</a>><br>
> 2018-01-09 13:27:30,134 p=13550 u=ovirt | TASK [Enable additional port<br>
> on firewalld] ******************************<wbr>*******<br>
> 2018-01-09 13:27:32,089 p=13550 u=ovirt | fatal: [<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a><br>
> <<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">http://dipovirt01.cnc.sk</a>>]:<br>
> FAILED! => {"changed": false, "module_stderr": "Shared connection to<br>
> <a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">dipovirt01.cnc.sk</a> <<a href="http://dipovirt01.cnc.sk" rel="noreferrer" target="_blank">http://dipovirt01.cnc.sk</a>> closed.\r\n",<br>
> "module_stdout": "Traceback (most recent<br>
> call last):\r\n File<br>
> \"/tmp/ansible_2Ilnjq/ansible_<wbr>module_firewalld.py\", line 936, in<br>
> <module>\r\n main()\r\n File<br>
> \"/tmp/ansible_2Ilnjq/ansible_<wbr>module_firewalld.py\", line 788, in<br>
> main\r\n module.fail(msg='firewall is not currently running, unable<br>
> to perform immediate actions without a running firewall<br>
> daemon')\r\nAttributeError: 'AnsibleModule' object has no attribute<br>
> 'fail'\r\n", "msg": "MODULE FAILURE", "rc": 0}<br>
> 2018-01-09 13:27:32,095 p=13550 u=ovirt | PLAY RECAP<br>
> ******************************<wbr>******************************<wbr>*********<br>
><br>
><br>
> After reinstalation the status of firewalld is<br>
> [PROD] <a href="mailto:root@dipovirt01.cnc.sk">root@dipovirt01.cnc.sk</a> <mailto:<a href="mailto:root@dipovirt01.cnc.sk">root@dipovirt01.cnc.sk</a><wbr>>:<br>
> /var/log/vdsm # systemctl status firewalld<br>
> ● firewalld.service - firewalld - dynamic firewall daemon<br>
> Loaded: loaded (/usr/lib/systemd/system/<wbr>firewalld.service; disabled;<br>
> vendor preset: enabled)<br>
> Active: inactive (dead)<br>
> Docs: man:firewalld(1)<br>
><br>
><br>
> So how could I switch to firewalld? package iptables-service could not<br>
> be removed due the dependencies.<br>
><br>
> Peter<br>
><br>
> On 09/01/2018 09:35, Yedidyah Bar David wrote:<br>
> ><br>
> > 1) firewalld<br>
> > after upgrade the hot server, the i needed to stop firewalld. It seems,<br>
> > that, the rules are not generated correctly. The engine was not able to<br>
> > connect to the host. How do I could fix it?<br>
> ><br>
> ><br>
> > Please check/share relevant files from /var/log/ovirt-engine/ansible/<br>
> > and /var/log/ovirt-engine/host-<wbr>deploy/ . Or perhaps file a bug and<br>
> > attach them there.<br>
><br>
><br>
> --<br>
> *Peter Hudec*<br>
> Infraštruktúrny architekt<br>
> <a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a> <mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>> <mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a><br>
> <mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>>><br>
><br>
> *CNC, a.s.*<br>
> Borská 6, 841 04 Bratislava<br>
> Recepcia: <a href="tel:%2B421%202%C2%A0%2035%20000%20100" value="+421235000100">+421 2 35 000 100</a> <tel:%2B421%202%C2%A0%2035%<wbr>20000%20100><br>
><br>
> Mobil:+421 905 997 203 <tel:%2B421%C2%A0905%20997%<wbr>20203><br>
> *<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a> <<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">http://www.cnc.sk</a>>* <http:///<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a><br>
> <<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">http://www.cnc.sk</a>>><br>
><br>
><br>
><br>
><br>
> --<br>
> Didi<br>
<br>
<br>
--<br>
*Peter Hudec*<br>
Infraštruktúrny architekt<br>
<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a> <mailto:<a href="mailto:phudec@cnc.sk">phudec@cnc.sk</a>><br>
<br>
*CNC, a.s.*<br>
Borská 6, 841 04 Bratislava<br>
Recepcia: <a href="tel:%2B421%202%C2%A0%2035%20000%20100" value="+421235000100">+421 2 35 000 100</a><br>
<br>
Mobil:<a href="tel:%2B421%C2%A0905%20997%20203" value="+421905997203">+421 905 997 203</a><br>
*<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a>* <http:///<a href="http://www.cnc.sk" rel="noreferrer" target="_blank">www.cnc.sk</a>><br>
<br>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><font size="1">Martin Perina<br>Associate Manager, Software Engineering<br>Red Hat Czech s.r.o.<br></font></div></div>
</div></div>