Thank you Didi. The proposed method works. I described my experience here: https://blog.it-kb.ru/2016/11/24/extension-of-iptables-add-custom-rules-on-the-ovirt-4-0-hosts/
23.11.2016, 16:12, "Yedidyah Bar David" <d...@redhat.com>: > On Wed, Nov 23, 2016 at 1:54 PM, <aleksey.maksi...@it-kb.ru> wrote: >> "As I wrote there, you can also do this manually" >> >> How? > > I am not sure I understand the question. > > The same way you configure iptables on non-oVirt-hosts machines. > > If you mean "How to imitate the way the engine does this during > host deploy", then I don't know - you can check engine sources > for that. I am guessing that you can get the values of IPTablesConfig > and IPTablesConfigSiteCustom with engine-config, replace inside the > latter "@CUSTOM_RULES@" with the contents of the former, then copy > the result to the host and load it with iptables-restore (and/or > copy to /etc/sysconfig/iptables and restart iptables service). > >> 23.11.2016, 14:23, "Yedidyah Bar David" <d...@redhat.com>: >>> On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksi...@it-kb.ru> wrote: >>>> Hi Didi! >>>> >>>> https://www.mail-archive.com/users@ovirt.org/msg37193.html >>>> >>>> "Move to maintenance and reinstall" to add the iptables rules ? >>>> >>>> Are you serious? >>>> >>>> There is no other way (without reinstalling the hosts) ? >>> >>> AFAIK, using ovirt-host-deploy, no. >>> >>> I am not aware of an engine API or vdsm verb to do this, but these are >>> not my main area of expertise. >>> >>> As I wrote there, you can also do this manually. >>> >>> The oVirt engine is not a replacement for configuration management >>> systems. If you have complex needs, might as well uncheck this >>> checkbox and use other means. >>> >>> Best, >>> >>>> 23.11.2016, 13:07, "Yedidyah Bar David" <d...@redhat.com>: >>>>> On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksi...@it-kb.ru> wrote: >>>>>> Hmm. I just rebooted the host, but the iptables rules have not been >>>>>> updated :( >>>>>> >>>>>> On Engine server my custom iptables rules are visible: >>>>>> >>>>>> # engine-config --get IPTablesConfigSiteCustom >>>>>> >>>>>> IPTablesConfigSiteCustom: >>>>>> -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE >>>>>> System Management Homepage' >>>>>> -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE >>>>>> System Management Homepage (Secure port)' >>>>>> version: general >>>>>> >>>>>> How to update the configuration on the hosts ? >>>>>> >>>>>> 23.11.2016, 11:30, "aleksey.maksi...@it-kb.ru" >>>>>> <aleksey.maksi...@it-kb.ru>: >>>>>>> Hello oVirt guru`s ! >>>>>>> >>>>>>> oVirt Engine Version: 4.0.5.5-1.el7.centos >>>>>>> >>>>>>> I updated the configuration of the firewall on the Engine server >>>>>>> with "engine-config --set IPTablesConfigSiteCustom...". >>>>>>> How to notify cluster nodes (all virtualization hosts) about the >>>>>>> changes without reboot? >>>>> >>>>> Please check the other thread here "[ovirt-users] Hook to add firewall >>>>> rules". Thanks. >>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>>> -- >>>>> Didi >>> >>> -- >>> Didi > > -- > Didi _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users