Hi Joshua, many thanks for your suggestion which I suppose would work perfectly, but I actually want iptables (CentOS 6.5 here, so no firewalld) rules in place all the time, but only "MY OWN" iptables rules ;>
Regards, Giuseppe Date: Tue, 25 Mar 2014 18:04:04 -0400 Subject: Re: [Users] Otopi pre-seeded answers and firewall settings From: [email protected] To: [email protected] Perhaps you could add the iptables and firewalld packages to yum.conf as excludes. I don't know if this would fail silently, but if so, the engine installer would never know. Thanks, Joshua On Tue, Mar 25, 2014 at 5:49 PM, Giuseppe Ragusa <[email protected]> wrote: Hi Didi, many thanks for your invaluable help! I'll try your suggestion (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I will report back. By the way: I have a really custom iptables setup (multiple separated networks on hypervisor hosts), so I suppose it's best to hand tune firewall rules and then leave them alone (I pre-configure them, so the setup procedure won't be impeded in its communication needs anyway AND I will always guarantee the most stringent filtering possible with default deny ecc.). Many thanks again, Giuseppe Date: Tue, 25 Mar 2014 04:05:33 -0400 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [Users] Otopi pre-seeded answers and firewall settings From: "Giuseppe Ragusa" <[email protected]> To: "Yedidyah Bar David" <[email protected]> Cc: "[email protected]" <[email protected]> Sent: Tuesday, March 25, 2014 1:53:20 AM Subject: RE: [Users] Otopi pre-seeded answers and firewall settings Hi Didi, I found the references to NETWORK/iptablesEnable in my engine logs (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work after all. Full logs attached. I resurrected my Engine by rebooting the (still only) host, then restarting ovirt-ha-agent (at startup the agent failed while trying to launch vdsm, but I found vdsm running and so tried manually...). OK, so it's host-deploy that's doing that.But it's not host-deploy itself - it's the engine that is talking to it, asking it to configure iptables.I don't know how to make the agent don't do that. I searched a bit the sources (which I don't know) and didn't find a simple way. You can, however, try to override this by:# mkdir -p /etc/ovirt-host-deploy.conf.d# echo '[environment:enforce]' > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf # echo 'NETWORK/iptablesEnable=bool:False' >> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf Never tried that, and not sure it's recommended - if it does work, it means that host-deploy will not update iptables, but the engine will think it did. So it's better to find a way to make the engine not dothat. Or, better yet, that you'll explain why you need this and somehow make the engine do what you want... -- Didi _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
