Bug 1191074

Summary: [RFE][HC] make override of iptables configurable when using hosted-engine
Product: Red Hat Enterprise Virtualization Manager Reporter: Sandro Bonazzola <sbonazzo>
Component: ovirt-hosted-engine-setupAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED ERRATA QA Contact: Nikolai Sednev <nsednev>
Severity: high Docs Contact:
Priority: high    
Version: 3.4.0CC: andrew, bugs, dfediuck, didi, giuseppe.ragusa, gklein, herrold, iheim, istein, lsurette, lveyde, mavital, melewis, rbalakri, sbonazzo, sherold, s.kieske, stirabos, yeylon, ykaul
Target Milestone: ovirt-3.6.0-rcKeywords: FutureFeature, Triaged, ZStream
Target Release: 3.6.0Flags: sherold: Triaged+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Previously, user defined iptables rules were overwritten when the host was added to the Manager and the automatic configuration of the firewall was turned off. Now, when the automatic configuration of the firewall is turned off the iptables rules will not be rewritten.
 Story Points: ---
Clone Of: 1080823
: 1192462 (view as bug list) Environment:
Last Closed: 2016-03-09 19:07:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1080823    
Bug Blocks: 1175354    

Description Sandro Bonazzola 2015-02-10 12:46:11 UTC 
+++ This bug was initially created as a clone of Bug #1080823 +++

Description of problem:

current behaviour is to always rewrite iptables, which may brake
existing rules
Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
it's always set - ' override_iptables=True '
http://gerrit.ovirt.org/gitweb?p=ovirt-hosted-engine-setup.git;a=blob;f=src/plugins/ovirt-hosted-engine-setup/engine/add_host.py

Expected results:
make it work :)

Additional info:
See this ML - Thread:
http://lists.ovirt.org/pipermail/users/2014-March/022674.html

--- Additional comment from Giuseppe Ragusa on 2014-03-26 15:23:07 EDT ---

(In reply to Sven Kieske from comment #0)
> Description of problem:
> 
> current behaviour is to always rewrite iptables, which may brake
> existing rules
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
> 
> Actual results:
> it's always set - ' override_iptables=True '
> http://gerrit.ovirt.org/gitweb?p=ovirt-hosted-engine-setup.git;a=blob;f=src/
> plugins/ovirt-hosted-engine-setup/engine/add_host.py
> 
> Expected results:
> make it work :)
> 
> Additional info:
> See this ML - Thread:
> http://lists.ovirt.org/pipermail/users/2014-March/022674.html

Please note that the ML mentioned workaround of using the checkbox from web interface while adding a new node is not applicable to automatic first-node enrollment during self-hosted-engine setup.

--- Additional comment from Sandro Bonazzola on 2014-04-16 09:18:13 EDT ---

Proposal:

When hosted-engine --deploy detect firewall managers and ask

iptables was detected on your computer, do you wish setup to configure it? (Yes, No)[Yes]:

if you answer "no" it should ask:

do you want to prevent automatic configuration on this host? (Yes, No)[Yes]:

and if you answer yes it should take care of creating /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the host requesting
iptables configuration.

--- Additional comment from Yedidyah Bar David on 2014-04-22 03:20:31 EDT ---

(In reply to Sandro Bonazzola from comment #2)
> Proposal:
> 
> When hosted-engine --deploy detect firewall managers and ask
> 
> iptables was detected on your computer, do you wish setup to configure it?
> (Yes, No)[Yes]:
> 
> if you answer "no" it should ask:
> 
> do you want to prevent automatic configuration on this host? (Yes, No)[Yes]:

Well, I am not really certain we need another question for this.

Can you think of a scenario where a user will provide different answers to them?

> 
> and if you answer yes it should take care of creating
> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the
> host requesting
> iptables configuration.

I think that if the answer is yes it should call engine_api.hosts.add with 'override_iptables=False'. Adding the file was suggested just as a workaround.

--- Additional comment from Sandro Bonazzola on 2014-08-13 04:20:12 EDT ---
Comment 2 Sandro Bonazzola 2015-02-20 11:07:59 UTC 
Automated message: can you please update doctext or set it as not required?
Comment 3 Simone Tiraboschi 2015-03-26 15:17:16 UTC 
OVEHOSTED_NETWORK/firewallManager=bool:False should be enough to disable firewall configuration from an answerfile
Comment 4 Ilanit Stein 2015-05-10 07:52:40 UTC 
For RFE verification:
It can be tested on 3.6.0-1 or on 3.6.0 alpha (3.6.0-2).
Simple HE deploy, no HC required, also single host is enough.
Upstream (Ovirt) engine and RHEL7.1/7.0 host is OK.
Comment 5 Nikolai Sednev 2015-05-11 08:22:06 UTC 
Works for me on these components:
Engine:
ovirt-engine-dwh-setup-3.6.0-0.0.master.20150409095321.20150409094743.git74a02ca.el6.noarch
ovirt-engine-userportal-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-dbscripts-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-reports-3.6.0-0.0.master.20150412080916.20150412080223.git6ea1358.el6.noarch
ovirt-engine-cli-3.6.0.0-0.2.20150225.gitff5c4e8.el6.noarch
ovirt-engine-extensions-api-impl-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-dwh-3.6.0-0.0.master.20150409095321.20150409094743.git74a02ca.el6.noarch
ovirt-engine-setup-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-webadmin-portal-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-backend-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-restapi-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-reports-setup-3.6.0-0.0.master.20150412080916.20150412080223.git6ea1358.el6.noarch
ovirt-engine-sdk-python-3.6.0.0-0.11.20150406.gitd4f1dd0.el6.noarch
ovirt-engine-lib-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-setup-base-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-websocket-proxy-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-tools-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-jboss-as-7.1.1-1.el6.x86_64
ovirt-engine-setup-plugin-websocket-proxy-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
Red Hat Enterprise Linux Server release 6.6 (Santiago)

Host:
ovirt-release-master-001-0.7.master.noarch
ovirt-host-deploy-1.4.0-0.0.master.20150505205623.giteabc23b.el7.noarch
vdsm-4.17.0-743.gite5856da.el7.x86_64
ovirt-hosted-engine-setup-1.3.0-0.0.master.20150505102602.gitb2151c7.el7.noarch
sanlock-3.2.2-2.el7.x86_64
qemu-kvm-rhev-2.1.2-23.el7_1.2.x86_64
mom-0.4.3-1.el7.noarch
ovirt-hosted-engine-ha-1.3.0-0.0.master.20150424113553.20150424113551.git7c14f4c.el7.noarch
ovirt-engine-sdk-python-3.6.0.0-0.12.20150506.git1066fb3.el7.centos.noarch
libvirt-client-1.2.8-16.el7_1.2.x86_64
Red Hat Enterprise Linux Server release 7.1 (Maipo)
Comment 9 errata-xmlrpc 2016-03-09 19:07:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0375.html