Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
On Tue, May 30, 2017 at 8:56 AM, Andrew Dent <ad...@ctcroydon.com.au> wrote: > I can add a rule into ipdates such as this > iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT > I can see the addition has succeeded with this > iptables-save > /etc/sysconfig/iptables > > But a reboot of the Engine VM (not the Host) doesn't keep the new rule, and > I was expecting that during bootup CentOS would read from > /etc/sysconfig/iptables. > Alas it isn't. > > Found a solution. > After reading this > https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7 > I installed iptables-services > But once installed I found that iptables -L showed no rules. > thankfully I still had the default hosted-engine rules in > /etc/sysconfig/iptables > iptables-restore < /etc/sysconfig/iptables > Then. > service iptables save > restored the default hosted-engine rules including my rule for 5666. > > Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there. > Success!! Glad for that. Indeed a change between el6 and el7 is the addition of the package iptables-services. For quite a long time, we install this package during engine-setup [1] if available, but only after we ask about the firewall - so if it's not installed beforehand engine-setup won't let you choose iptables. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1224799 > > To answer your other questions > >> Did you ask to configure the firewall during engine-setup? > Yes. > Looks like it setup firewalld for me. You can check that in the setup logs. If firewalld was active (up) when you ran engine-setup, and you replied 'Yes' to 'Configure firewall?', then it automatically chose firewalld, with the assumption that if it's up, it's very likely what you want. It also emits a line about this. > >> Alternatively, it's recommended to use firewalld. > For the moment I have disabled firewalld and are using iptablesIs there > a reason why firewalld is preferred over iptables? Main reason from our (as developers) POV is that it's modular - allows adding/removing services programmatically, without having to parse and understand /etc/sysconfig/iptables. Obviously some people also prefer it for other reasons - ease of use, not having to know all the details for each specific services, etc. Best, > > Kind regards > > Andrew > > -- Original Message -- > From: "Yedidyah Bar David" <d...@redhat.com> > To: "Andrew Dent" <ad...@ctcroydon.com.au> > Cc: "users" <users@ovirt.org> > Sent: 29/05/2017 9:26:23 PM > Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables > >> On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <ad...@ctcroydon.com.au> >> wrote: >>> >>> Hi >>> >>> I would like to add rules into the iptables of the Hosted Engine VM in >>> Ovirt. >>> I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I >>> would >>> like to open port 5666 >>> >>> the version is oVirt Engine Version: 4.1.1.8-1.el7.centos >>> I have tried using the normal process for iptables (iptables-save etc), >>> but >>> it seems that the file >>> /etc/sysconfig/iptables >>> is ignored when the Ovirt Engine VM starts. >> >> >> What do you mean in "ignored"? >> >> What's the output of 'iptables-save'? >> >> Did you ask to configure the firewall during engine-setup? >> >>> >>> How can I add permanent iptables rules into the Engine VM? >> >> >> On the engine vm (unlike hosts), the only thing that touches iptables >> is engine-setup. Before doing that it asks you if you want to configure >> the firewall. There aren't currently means to add your custom rules - >> either you manage it all by yourself or you let engine-setup do that. >> >> Alternatively, it's recommended to use firewalld. engine-setup can >> add to firewalld the stuff it wants, and you still can add your own >> stuff. >> >> If I got you wrong and you refer to the hosts (not engine), see also: >> >> https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/ >> >> Best, >> >>> >>> Kind regards >>> >>> >>> Andrew >>> >>> >>> >>> ___ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> >> >> -- >> Didi > > -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
I can add a rule into ipdates such as this iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT I can see the addition has succeeded with this iptables-save > /etc/sysconfig/iptables But a reboot of the Engine VM (not the Host) doesn't keep the new rule, and I was expecting that during bootup CentOS would read from /etc/sysconfig/iptables. Alas it isn't. Found a solution. After reading this https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7 I installed iptables-services But once installed I found that iptables -L showed no rules. thankfully I still had the default hosted-engine rules in /etc/sysconfig/iptables iptables-restore < /etc/sysconfig/iptables Then. service iptables save restored the default hosted-engine rules including my rule for 5666. Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there. Success!! To answer your other questions > Did you ask to configure the firewall during engine-setup? Yes. Looks like it setup firewalld for me. > Alternatively, it's recommended to use firewalld. For the moment I have disabled firewalld and are using iptablesIs there a reason why firewalld is preferred over iptables? Kind regards Andrew -- Original Message -- From: "Yedidyah Bar David" <d...@redhat.com> To: "Andrew Dent" <ad...@ctcroydon.com.au> Cc: "users" <users@ovirt.org> Sent: 29/05/2017 9:26:23 PM Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <ad...@ctcroydon.com.au> wrote: Hi I would like to add rules into the iptables of the Hosted Engine VM in Ovirt. I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I would like to open port 5666 the version is oVirt Engine Version: 4.1.1.8-1.el7.centos I have tried using the normal process for iptables (iptables-save etc), but it seems that the file /etc/sysconfig/iptables is ignored when the Ovirt Engine VM starts. What do you mean in "ignored"? What's the output of 'iptables-save'? Did you ask to configure the firewall during engine-setup? How can I add permanent iptables rules into the Engine VM? On the engine vm (unlike hosts), the only thing that touches iptables is engine-setup. Before doing that it asks you if you want to configure the firewall. There aren't currently means to add your custom rules - either you manage it all by yourself or you let engine-setup do that. Alternatively, it's recommended to use firewalld. engine-setup can add to firewalld the stuff it wants, and you still can add your own stuff. If I got you wrong and you refer to the hosts (not engine), see also: https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/ Best, Kind regards Andrew ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
On Mon, May 29, 2017 at 1:14 PM, Andrew Dentwrote: > Hi > > I would like to add rules into the iptables of the Hosted Engine VM in > Ovirt. > I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I would > like to open port 5666 > > the version is oVirt Engine Version: 4.1.1.8-1.el7.centos > I have tried using the normal process for iptables (iptables-save etc), but > it seems that the file > /etc/sysconfig/iptables > is ignored when the Ovirt Engine VM starts. What do you mean in "ignored"? What's the output of 'iptables-save'? Did you ask to configure the firewall during engine-setup? > > How can I add permanent iptables rules into the Engine VM? On the engine vm (unlike hosts), the only thing that touches iptables is engine-setup. Before doing that it asks you if you want to configure the firewall. There aren't currently means to add your custom rules - either you manage it all by yourself or you let engine-setup do that. Alternatively, it's recommended to use firewalld. engine-setup can add to firewalld the stuff it wants, and you still can add your own stuff. If I got you wrong and you refer to the hosts (not engine), see also: https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/ Best, > > Kind regards > > > Andrew > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users