Il 25/03/2014 23:09, Giuseppe Ragusa ha scritto: > Hi Didi, > I can confirm that using both an ovhe-answers.conf directive: > OVEHOSTED_NETWORK/firewallManager=str:nonexistent > > and an /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf with: > [environment:enforce] > NETWORK/iptablesEnable=bool:False > > results in "ovirt-hosted-engine-setup --config-append=ovhe-answers.conf" > leaving iptables rules untouched while adding the second hypervisor host to > an already deployed self-hosted-engine with one physical host.
I think this should be solved differently. When hosted-engine --deploy detect firewall managers and ask iptables was detected on your computer, do you wish setup to configure it? (Yes, No)[Yes]: if you answer "no" it should ask: do you want to prevent automatic configuration on this host? (Yes, No)[Yes]: and if you answer yes it should take care of creating /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the host requesting iptables configuration. What do you think? > > Many thanks again, > Giuseppe > > PS: is there any difference in using "ovirt-hosted-engine-setup" vs. > "hosted-engine --deploy" ? No, hosted-engine --deploy just call ovirt-hosted-engine-setup passing remaining arguments. > > ------------------------------------------------------------------------------------------------------------------------------------------------------ > From: [email protected] > To: [email protected] > Date: Tue, 25 Mar 2014 22:49:36 +0100 > CC: [email protected] > Subject: Re: [Users] Otopi pre-seeded answers and firewall settings > > Hi Didi, > many thanks for your invaluable help! > > I'll try your suggestion > (/etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf) asap and then I will > report back. > > By the way: I have a really custom iptables setup (multiple separated > networks on hypervisor hosts), so I suppose it's best to hand tune firewall > rules and then leave them alone (I pre-configure them, so the setup procedure > won't be impeded in its communication needs anyway AND I will always > guarantee the most stringent filtering possible with default deny ecc.). > > Many thanks again, > Giuseppe > > ------------------------------------------------------------------------------------------------------------------------------------------------------ > Date: Tue, 25 Mar 2014 04:05:33 -0400 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [Users] Otopi pre-seeded answers and firewall settings > > *From: *"Giuseppe Ragusa" <[email protected]> > *To: *"Yedidyah Bar David" <[email protected]> > *Cc: *"[email protected]" <[email protected]> > *Sent: *Tuesday, March 25, 2014 1:53:20 AM > *Subject: *RE: [Users] Otopi pre-seeded answers and firewall settings > > Hi Didi, > I found the references to NETWORK/iptablesEnable in my engine logs > (/var/log/ovirt-engine/host-deploy/ovirt-*.log), but it didn't seem to work > after all. > > Full logs attached. > > I resurrected my Engine by rebooting the (still only) host, then > restarting ovirt-ha-agent (at startup the agent failed while trying to launch > vdsm, but I found vdsm running and so tried manually...). > > > OK, so it's host-deploy that's doing that. > But it's not host-deploy itself - it's the engine that is talking to it, > asking it to configure iptables. > I don't know how to make the agent don't do that. I searched a bit the > sources (which I don't know) > and didn't find a simple way. > > You can, however, try to override this by: > # mkdir -p /etc/ovirt-host-deploy.conf.d > # echo '[environment:enforce]' > > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf > # echo 'NETWORK/iptablesEnable=bool:False' >> > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf > > Never tried that, and not sure it's recommended - if it does work, it means > that host-deploy will not > update iptables, but the engine will think it did. So it's better to find a > way to make the engine not do > that. Or, better yet, that you'll explain why you need this and somehow make > the engine do what you want... > -- > Didi > > > _______________________________________________ Users mailing list > [email protected] http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > -- Sandro Bonazzola Better technology. Faster innovation. Powered by community collaboration. See how it works at redhat.com _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
