Bug 1111513 - [RFE][host-deploy] custom iptables rules
Summary: [RFE][host-deploy] custom iptables rules
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.5.0
Assignee: Alon Bar-Lev
QA Contact: Meni Yakove
URL:
Whiteboard: network
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-20 08:33 UTC by Jiří Sléžka
Modified: 2016-02-10 19:38 UTC (History)
8 users (show)

Fixed In Version: ovirt-engine-3.5.0_beta
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-17 12:39:45 UTC
oVirt Team: Network


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 29368 master MERGED host-deploy: add IPTablesConfigSiteCustom vdc_option Never

Description Jiří Sléžka 2014-06-20 08:33:06 UTC
Description of problem:

It would be nice to have possibility to specify custom iptables rules which persist during host reinstall/upgrade.

For example I have zabbix agents installed on all hosts and thus iptables rule allowing connections from our zabbix server. Sadly I have to manually restore iptables backup after host upgrade (initiated from oVirt manager).


Version-Release number of selected component (if applicable):


How reproducible:
Steps to Reproduce:

1. manually modify /etc/sysconfig/iptables on hosts
2. switch this host to maintanace in oVirt manager
3. upgrdae/reinstall 

Actual results:

after upgrade, custom iptables are gone


Expected results:

custom iptables rules persist


Additional info:

We discuss this on ovirt-users list (adding another vdc config for user defined rules)

http://lists.ovirt.org/pipermail/users/2014-June/025265.html

Comment 1 Sven Kieske 2014-06-20 09:00:10 UTC
Workaround: during engine-setup answer to the question: should iptables/firewalld
get configured by ovirt? no

Comment 2 Jiří Sléžka 2014-06-20 09:24:07 UTC
(In reply to Sven Kieske from comment #1)
> Workaround: during engine-setup answer to the question: should
> iptables/firewalld
> get configured by ovirt? no

But this option relates only iptables on oVirt manager node, is that right? I would like to persist custom iptables rules during host upgrade.

Comment 3 Alon Bar-Lev 2014-06-20 10:36:43 UTC
add IPTablesConfigForVirt like for custom.

Comment 4 Martin Pavlik 2014-09-03 15:07:16 UTC
@Alon

could you please provide doc text and steps how to use IPTablesConfigSiteCustom

help text 
IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig" (Value Type: String)

does not really do it, it does not even mention how to delimit the rules

I've tried 
engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT"

service ovirt-engine restart

and that works

but I don't know how to add two or more rules

Comment 5 Alon Bar-Lev 2014-09-03 15:14:28 UTC
(In reply to Martin Pavlik from comment #4)
> @Alon
> 
> could you please provide doc text and steps how to use
> IPTablesConfigSiteCustom
> 
> help text 
> IPTablesConfigSiteCustom: "iptables site custom configuration, appended to
> IPTablesConfig" (Value Type: String)
> 
> does not really do it, it does not even mention how to delimit the rules

you can see example for built-in rules IPTablesConfig, IPTablesConfigForGluster, IPTablesConfigSiteCustom.

> I've tried 
> engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555
> -j ACCEPT"
> 
> service ovirt-engine restart
> 
> and that works
> 
> but I don't know how to add two or more rules

try:

engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT
-A INPUT -p tcp --dport 55556 -j ACCEPT
"

Comment 6 Martin Pavlik 2014-09-04 09:09:23 UTC
where do I find IPTablesConfig, IPTablesConfigForGluster, IPTablesConfigSiteCustom ?

1)
tried 
engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT"

produces single line in iptables
-A INPUT -p tcp --dport 55555 -j ACCEPT -A INPUT -p tcp --dport 55556 -j ACCEPT
which does not work

2)
tried
engine-config --set IPTablesConfigSiteCustom="###my custom rules, -A INPUT -p tcp --dport 55555 -j ACCEPT, -A INPUT -p tcp --dport 55556 -j ACCEPT"

produces single line in iptables
/etc/sysconfig/iptables.20140904105907:###my custom rules, -A INPUT -p tcp --dport 55555 -j ACCEPT, -A INPUT -p tcp --dport 55556 -j ACCEPT
which does not work

3)
tried
engine-config --set IPTablesConfigSiteCustom="###my custom rules\n -A INPUT -p tcp --dport 55555 -j ACCEPT\n -A INPUT -p tcp --dport 55556 -j ACCEPT"

produces single line in iptables
/etc/sysconfig/iptables:###my custom rules\n -A INPUT -p tcp --dport 55555 -j ACCEPT\n -A INPUT -p tcp --dport 55556 -j ACCEPT
does not work


how to do the delimiting?

Comment 7 Alon Bar-Lev 2014-09-04 09:58:00 UTC
it should work using:

xxxxx="line1
line2
line3
"

Comment 8 Martin Pavlik 2014-09-04 10:16:20 UTC
I wonder how is the customer supposed to figure out how to use the command

@Alon is it possible to place some example or hint somewhere?

what works is

1) engine-config --set IPTablesConfigSiteCustom=" (now press enter)
2) (input line 1) -A INPUT -p tcp --dport 55555 -j ACCEPT (press enter)
3) (input line 2) -A INPUT -p tcp --dport 55556 -j ACCEPT" (press enter not the double quotes at the end)
4) service ovirt-engine restart

or 

write the text in gedit including formatting and copy paste it between the quotes in the command

Comment 9 Alon Bar-Lev 2014-09-04 10:19:52 UTC
the following should input two lines, please write as-is within cli:

# engine-config --set IPTablesConfigSiteCustom="-A INPUT -p tcp --dport 55555 -j ACCEPT
-A INPUT -p tcp --dport 55556 -j ACCEPT
"

then:

# engine-config --get IPTablesConfigSiteCustom

Comment 10 Martin Pavlik 2014-09-04 11:19:34 UTC
verified
oVirt Engine Version: 3.5.0-0.0.master.20140821064931.gitb794d66.el6

Comment 11 Sandro Bonazzola 2014-10-17 12:39:45 UTC
oVirt 3.5 has been released and should include the fix for this issue.


Note You need to log in before you can comment on or make changes to this bug.