Re: [ovirt-users] Ovirt Hosted-Engine VM iptables

2017-06-01 Thread Yedidyah Bar David 
On Tue, May 30, 2017 at 8:56 AM, Andrew Dent <ad...@ctcroydon.com.au> wrote:
> I can add a rule into ipdates such as this
> iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT
> I can see the addition has succeeded with this
> iptables-save > /etc/sysconfig/iptables
>
> But a reboot of the Engine VM (not the Host) doesn't keep the new rule, and
> I was expecting that during bootup CentOS would read from
> /etc/sysconfig/iptables.
> Alas it isn't.
>
> Found a solution.
> After reading this
> https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7
> I installed iptables-services
> But once installed I found that iptables -L showed no rules.
> thankfully I still had the default hosted-engine rules in
> /etc/sysconfig/iptables
> iptables-restore < /etc/sysconfig/iptables
> Then.
> service iptables save
> restored the default hosted-engine rules including my rule for 5666.
>
> Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there.
> Success!!

Glad for that. Indeed a change between el6 and el7 is the addition of
the package iptables-services. For quite a long time, we install this
package during engine-setup [1] if available, but only after we ask
about the firewall - so if it's not installed beforehand engine-setup
won't let you choose iptables.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1224799

>
> To answer your other questions
>
>> Did you ask to configure the firewall during engine-setup?
> Yes.
> Looks like it setup firewalld for me.

You can check that in the setup logs.

If firewalld was active (up) when you ran engine-setup, and you replied 'Yes'
to 'Configure firewall?', then it automatically chose firewalld, with the
assumption that if it's up, it's very likely what you want. It also emits
a line about this.

>
>> Alternatively, it's recommended to use firewalld.
> For the moment I have disabled firewalld and are using iptablesIs there
> a reason why firewalld is preferred over iptables?

Main reason from our (as developers) POV is that it's modular - allows
adding/removing services programmatically, without having to parse and
understand /etc/sysconfig/iptables.

Obviously some people also prefer it for other reasons - ease of use,
not having to know all the details for each specific services, etc.

Best,

>
> Kind regards
>
> Andrew
>
> -- Original Message --
> From: "Yedidyah Bar David" <d...@redhat.com>
> To: "Andrew Dent" <ad...@ctcroydon.com.au>
> Cc: "users" <users@ovirt.org>
> Sent: 29/05/2017 9:26:23 PM
> Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables
>
>> On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <ad...@ctcroydon.com.au>
>> wrote:
>>>
>>>  Hi
>>>
>>>  I would like to add rules into the iptables of the Hosted Engine VM in
>>>  Ovirt.
>>>  I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I
>>> would
>>>  like to open port 5666
>>>
>>>  the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
>>>  I have tried using the normal process for iptables (iptables-save etc),
>>> but
>>>  it seems that the file
>>>  /etc/sysconfig/iptables
>>>  is ignored when the Ovirt Engine VM starts.
>>
>>
>> What do you mean in "ignored"?
>>
>> What's the output of 'iptables-save'?
>>
>> Did you ask to configure the firewall during engine-setup?
>>
>>>
>>>  How can I add permanent iptables rules into the Engine VM?
>>
>>
>> On the engine vm (unlike hosts), the only thing that touches iptables
>> is engine-setup. Before doing that it asks you if you want to configure
>> the firewall. There aren't currently means to add your custom rules -
>> either you manage it all by yourself or you let engine-setup do that.
>>
>> Alternatively, it's recommended to use firewalld. engine-setup can
>> add to firewalld the stuff it wants, and you still can add your own
>> stuff.
>>
>> If I got you wrong and you refer to the hosts (not engine), see also:
>>
>> https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/
>>
>> Best,
>>
>>>
>>>  Kind regards
>>>
>>>
>>>  Andrew
>>>
>>>
>>>
>>>  ___
>>>  Users mailing list
>>>  Users@ovirt.org
>>>  http://lists.ovirt.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Didi
>
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Ovirt Hosted-Engine VM iptables

2017-05-29 Thread Andrew Dent 

I can add a rule into ipdates such as this
iptables -I INPUT -s 192.168.0.10 -p tcp -m tcp --dport 5666 -j ACCEPT
I can see the addition has succeeded with this
iptables-save > /etc/sysconfig/iptables

But a reboot of the Engine VM (not the Host) doesn't keep the new rule, 
and I was expecting that during bootup CentOS would read from 
/etc/sysconfig/iptables.

Alas it isn't.

Found a solution.
After reading this
https://stackoverflow.com/questions/24756240/how-can-i-use-iptables-on-centos-7
I installed iptables-services
But once installed I found that iptables -L showed no rules.
thankfully I still had the default hosted-engine rules in 
/etc/sysconfig/iptables

iptables-restore < /etc/sysconfig/iptables
Then.
service iptables save
restored the default hosted-engine rules including my rule for 5666.

Rebooting the hosted-engine VM and my rule 5666 for NRPE is still there.
Success!!

To answer your other questions

> Did you ask to configure the firewall during engine-setup?
Yes.
Looks like it setup firewalld for me.

> Alternatively, it's recommended to use firewalld.
For the moment I have disabled firewalld and are using iptablesIs 
there a reason why firewalld is preferred over iptables?


Kind regards

Andrew

-- Original Message --
From: "Yedidyah Bar David" <d...@redhat.com>
To: "Andrew Dent" <ad...@ctcroydon.com.au>
Cc: "users" <users@ovirt.org>
Sent: 29/05/2017 9:26:23 PM
Subject: Re: [ovirt-users] Ovirt Hosted-Engine VM iptables

On Mon, May 29, 2017 at 1:14 PM, Andrew Dent <ad...@ctcroydon.com.au> 
wrote:

 Hi

 I would like to add rules into the iptables of the Hosted Engine VM 
in

 Ovirt.
 I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I 
would

 like to open port 5666

 the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
 I have tried using the normal process for iptables (iptables-save 
etc), but

 it seems that the file
 /etc/sysconfig/iptables
 is ignored when the Ovirt Engine VM starts.


What do you mean in "ignored"?

What's the output of 'iptables-save'?

Did you ask to configure the firewall during engine-setup?



 How can I add permanent iptables rules into the Engine VM?


On the engine vm (unlike hosts), the only thing that touches iptables
is engine-setup. Before doing that it asks you if you want to configure
the firewall. There aren't currently means to add your custom rules -
either you manage it all by yourself or you let engine-setup do that.

Alternatively, it's recommended to use firewalld. engine-setup can
add to firewalld the stuff it wants, and you still can add your own
stuff.

If I got you wrong and you refer to the hosts (not engine), see also:

https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/

Best,



 Kind regards


 Andrew



 ___
 Users mailing list
 Users@ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users





--
Didi


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Ovirt Hosted-Engine VM iptables

2017-05-29 Thread Yedidyah Bar David 
On Mon, May 29, 2017 at 1:14 PM, Andrew Dent  wrote:
> Hi
>
> I would like to add rules into the iptables of the Hosted Engine VM in
> Ovirt.
> I am wanting to monitor the Ovirt Engine using Nagios -> NRPE and I would
> like to open port 5666
>
> the version is oVirt Engine Version: 4.1.1.8-1.el7.centos
> I have tried using the normal process for iptables (iptables-save etc), but
> it seems that the file
> /etc/sysconfig/iptables
> is ignored when the Ovirt Engine VM starts.

What do you mean in "ignored"?

What's the output of 'iptables-save'?

Did you ask to configure the firewall during engine-setup?

>
> How can I add permanent iptables rules into the Engine VM?

On the engine vm (unlike hosts), the only thing that touches iptables
is engine-setup. Before doing that it asks you if you want to configure
the firewall. There aren't currently means to add your custom rules -
either you manage it all by yourself or you let engine-setup do that.

Alternatively, it's recommended to use firewalld. engine-setup can
add to firewalld the stuff it wants, and you still can add your own
stuff.

If I got you wrong and you refer to the hosts (not engine), see also:

https://www.ovirt.org/blog/2016/12/extension-iptables-rules-oVirt-hosts/

Best,

>
> Kind regards
>
>
> Andrew
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users