Description of problem: With the new patch http://gerrit.ovirt.org/#/c/33085/4 the user can review the iptables rules that will be changed, but there's no way to just show them without requiring interaction from the user. It can be helpful if there was a way to just show the diff without needing interaction, mostly for automated tests and automated setup processes. Version-Release number of selected component (if applicable): 3.6.0 How reproducible: Run engine setup with the OVESETUP_CONFIG/skipFirewallReview option set to bool:True Steps to Reproduce: 1.Run engine setup with the OVESETUP_CONFIG/skipFirewallReview option set to bool:True 2. 3. Actual results: You are shown the iptables diff and asked to accept Expected results: You should be able to specify an option to just show the diff without requiring feedback. Additional info:
Oops, the option Run engine setup with the OVESETUP_CONFIG/skipFirewallReview has to be set to bool:False or not set at all for it to show the diff and ask for ack.
IMO, if it's just to give info to the user, better just write in closeup: "iptables configuration was changed. more details in the log" (or, backup file is here, etc). If it's for automated testing, then I object. Automated testing should not rely on a product saying "I changed this to that", it should check if indeed it did that...
The idea is not to have it on specific automated tests that check any firewall rules, but to have it enabled on all of them to have some extra information by default in the usual log in case it fails. It also might help on manual installations for integration test environments, where you are not specifically checking the firewall rules, but having it print some information about it might alert the person running the setup that something is odd.
Please verification steps.
(In reply to David Necpal from comment #10) > Please verification steps. Basic flow ========== 1. Install and activate iptables-services 2. Install engine 3. Run engine-setup 4. Accept to configure the firewall 5. If prompted, choose iptables 6. You should be prompted: Generated iptables rules are different from current ones. Do you want to review them? (Yes, No) [No]: Reply Yes. 7. It should output: Please review the changes: {diff} Do you want to proceed with firewall configuration? (Yes, No) [Yes]: Where {diff} is the difference between your current iptables rules and the new ones. Now kill engine-setup with ^C. It should exit, and (also) tell you: Generating answer file {ans} 8. run engine-setup --config-append={ans} where {ans} is the answer file generated at (7.) 9. Without this bug (e.g. in 4.1), engine-setup will not show you the difference. With current 4.2, it should output: These are the changes that will be applied to iptables configuration: {diff} Alternate flow 1 ================ Replace step 3 with: engine-setup --otopi-environment=OVESETUP_CONFIG/firewallChangesReview=bool:True and continue until step 7. You should see the behavior of step 9. Alternate flow 2 ================ 1. Install and activate firewalld, install and setup engine with firewalld. 2. Install and activate iptables-services. 3. Run: engine-setup --offline --otopi-environment=OVESETUP_CONFIG/firewallChangesReview=bool:True You should see the behavior of step 9.
After retest verified on version: ovirt-engine-4.2.0-0.0.master.20170907100709.git14accac.el7.centos.noarch Verified based on suggested steps from comment #11
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.