Description of problem: It would be nice to have possibility to specify custom iptables rules which persist during host reinstall/upgrade. For example I have zabbix agents installed on all hosts and thus iptables rule allowing connections from our zabbix server. Sadly I have to manually restore iptables backup after host upgrade (initiated from oVirt manager). Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. manually modify /etc/sysconfig/iptables on hosts 2. switch this host to maintanace in oVirt manager 3. upgrdae/reinstall Actual results: after upgrade, custom iptables are gone Expected results: custom iptables rules persist Additional info: We discuss this on ovirt-users list (adding another vdc config for user defined rules) http://lists.ovirt.org/pipermail/users/2014-June/025265.html
Workaround: during engine-setup answer to the question: should iptables/firewalld get configured by ovirt? no
(In reply to Sven Kieske from comment #1) > Workaround: during engine-setup answer to the question: should > iptables/firewalld > get configured by ovirt? no But this option relates only iptables on oVirt manager node, is that right? I would like to persist custom iptables rules during host upgrade.
add IPTablesConfigForVirt like for custom.
@Alon could you please provide doc text and steps how to use IPTablesConfigSiteCustom help text IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig" (Value Type: String) does not really do it, it does not even mention how to delimit the rules I've tried engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT" service ovirt-engine restart and that works but I don't know how to add two or more rules
(In reply to Martin Pavlik from comment #4) > @Alon > > could you please provide doc text and steps how to use > IPTablesConfigSiteCustom > > help text > IPTablesConfigSiteCustom: "iptables site custom configuration, appended to > IPTablesConfig" (Value Type: String) > > does not really do it, it does not even mention how to delimit the rules you can see example for built-in rules IPTablesConfig, IPTablesConfigForGluster, IPTablesConfigSiteCustom. > I've tried > engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 > -j ACCEPT" > > service ovirt-engine restart > > and that works > > but I don't know how to add two or more rules try: engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT "
where do I find IPTablesConfig, IPTablesConfigForGluster, IPTablesConfigSiteCustom ? 1) tried engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT" produces single line in iptables -A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT which does not work 2) tried engine-config --set IPTablesConfigSiteCustom="###my custom rules, -A INPUT -p tcp --dport 55555 -j ACCEPT, -A INPUT -p tcp --dport 55556 -j ACCEPT" produces single line in iptables /etc/sysconfig/iptables.20140904105907:###my custom rules, -A INPUT -p tcp --dport 55555 -j ACCEPT, -A INPUT -p tcp --dport 55556 -j ACCEPT which does not work 3) tried engine-config --set IPTablesConfigSiteCustom="###my custom rules\n -A INPUT -p tcp --dport 55555 -j ACCEPT\n -A INPUT -p tcp --dport 55556 -j ACCEPT" produces single line in iptables /etc/sysconfig/iptables:###my custom rules\n -A INPUT -p tcp --dport 55555 -j ACCEPT\n -A INPUT -p tcp --dport 55556 -j ACCEPT does not work how to do the delimiting?
it should work using: xxxxx="line1 line2 line3 "
I wonder how is the customer supposed to figure out how to use the command @Alon is it possible to place some example or hint somewhere? what works is 1) engine-config --set IPTablesConfigSiteCustom=" (now press enter) 2) (input line 1) -A INPUT -p tcp --dport 55555 -j ACCEPT (press enter) 3) (input line 2) -A INPUT -p tcp --dport 55556 -j ACCEPT" (press enter not the double quotes at the end) 4) service ovirt-engine restart or write the text in gedit including formatting and copy paste it between the quotes in the command
the following should input two lines, please write as-is within cli: # engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT " then: # engine-config --get IPTablesConfigSiteCustom
verified oVirt Engine Version: 3.5.0-0.0.master.20140821064931.gitb794d66.el6
oVirt 3.5 has been released and should include the fix for this issue.