Bug 1111513

Summary: [RFE][host-deploy] custom iptables rules
Product: [Retired] oVirt Reporter: Jiří Sléžka <jiri.slezka>
Component: ovirt-engine-coreAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Meni Yakove <myakove>
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: alonbl, gklein, iheim, mpavlik, obasan, rbalakri, s.kieske, yeylon
Target Milestone: ---Keywords: Improvement, Triaged
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: network
Fixed In Version: ovirt-engine-3.5.0_beta Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:39:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiří Sléžka 2014-06-20 08:33:06 UTC 
Description of problem:

It would be nice to have possibility to specify custom iptables rules which persist during host reinstall/upgrade.

For example I have zabbix agents installed on all hosts and thus iptables rule allowing connections from our zabbix server. Sadly I have to manually restore iptables backup after host upgrade (initiated from oVirt manager).


Version-Release number of selected component (if applicable):


How reproducible:
Steps to Reproduce:

1. manually modify /etc/sysconfig/iptables on hosts
2. switch this host to maintanace in oVirt manager
3. upgrdae/reinstall 

Actual results:

after upgrade, custom iptables are gone


Expected results:

custom iptables rules persist


Additional info:

We discuss this on ovirt-users list (adding another vdc config for user defined rules)

http://lists.ovirt.org/pipermail/users/2014-June/025265.html
Comment 1 Sven Kieske 2014-06-20 09:00:10 UTC 
Workaround: during engine-setup answer to the question: should iptables/firewalld
get configured by ovirt? no
Comment 2 Jiří Sléžka 2014-06-20 09:24:07 UTC 
(In reply to Sven Kieske from comment #1)
> Workaround: during engine-setup answer to the question: should
> iptables/firewalld
> get configured by ovirt? no

But this option relates only iptables on oVirt manager node, is that right? I would like to persist custom iptables rules during host upgrade.
Comment 3 Alon Bar-Lev 2014-06-20 10:36:43 UTC 
add IPTablesConfigForVirt like for custom.
Comment 4 Martin Pavlik 2014-09-03 15:07:16 UTC 
@Alon

could you please provide doc text and steps how to use IPTablesConfigSiteCustom

help text 
IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig" (Value Type: String)

does not really do it, it does not even mention how to delimit the rules

I've tried 
engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT"

service ovirt-engine restart

and that works

but I don't know how to add two or more rules
Comment 5 Alon Bar-Lev 2014-09-03 15:14:28 UTC 
(In reply to Martin Pavlik from comment #4)
> @Alon
> 
> could you please provide doc text and steps how to use
> IPTablesConfigSiteCustom
> 
> help text 
> IPTablesConfigSiteCustom: "iptables site custom configuration, appended to
> IPTablesConfig" (Value Type: String)
> 
> does not really do it, it does not even mention how to delimit the rules

you can see example for built-in rules IPTablesConfig, IPTablesConfigForGluster, IPTablesConfigSiteCustom.

> I've tried 
> engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555
> -j ACCEPT"
> 
> service ovirt-engine restart
> 
> and that works
> 
> but I don't know how to add two or more rules

try:

engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT
-A INPUT -p tcp --dport 55556 -j ACCEPT
"
Comment 6 Martin Pavlik 2014-09-04 09:09:23 UTC 
where do I find IPTablesConfig, IPTablesConfigForGluster, IPTablesConfigSiteCustom ?

1)
tried 
engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT"

produces single line in iptables
-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT
which does not work

2)
tried
engine-config --set IPTablesConfigSiteCustom="###my custom rules, -A INPUT -p tcp --dport 55555 -j ACCEPT, -A INPUT -p tcp --dport 55556 -j ACCEPT"

produces single line in iptables
/etc/sysconfig/iptables.20140904105907:###my custom rules, -A INPUT -p tcp --dport 55555 -j ACCEPT, -A INPUT -p tcp --dport 55556 -j ACCEPT
which does not work

3)
tried
engine-config --set IPTablesConfigSiteCustom="###my custom rules\n -A INPUT -p tcp --dport 55555 -j ACCEPT\n -A INPUT -p tcp --dport 55556 -j ACCEPT"

produces single line in iptables
/etc/sysconfig/iptables:###my custom rules\n -A INPUT -p tcp --dport 55555 -j ACCEPT\n -A INPUT -p tcp --dport 55556 -j ACCEPT
does not work


how to do the delimiting?
Comment 7 Alon Bar-Lev 2014-09-04 09:58:00 UTC 
it should work using:

xxxxx="line1
line2
line3
"
Comment 8 Martin Pavlik 2014-09-04 10:16:20 UTC 
I wonder how is the customer supposed to figure out how to use the command

@Alon is it possible to place some example or hint somewhere?

what works is

1) engine-config --set IPTablesConfigSiteCustom=" (now press enter)
2) (input line 1) -A INPUT -p tcp --dport 55555 -j ACCEPT (press enter)
3) (input line 2) -A INPUT -p tcp --dport 55556 -j ACCEPT" (press enter not the double quotes at the end)
4) service ovirt-engine restart

or 

write the text in gedit including formatting and copy paste it between the quotes in the command
Comment 9 Alon Bar-Lev 2014-09-04 10:19:52 UTC 
the following should input two lines, please write as-is within cli:

# engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT
-A INPUT -p tcp --dport 55556 -j ACCEPT
"

then:

# engine-config --get IPTablesConfigSiteCustom
Comment 10 Martin Pavlik 2014-09-04 11:19:34 UTC 
verified
oVirt Engine Version: 3.5.0-0.0.master.20140821064931.gitb794d66.el6
Comment 11 Sandro Bonazzola 2014-10-17 12:39:45 UTC 
oVirt 3.5 has been released and should include the fix for this issue.