Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1146558

Summary: [RFE] Add the possibility to show iptables diff without interaction
Product: [oVirt] ovirt-engine Reporter: David Caro <dcaroest>
Component: RFEsAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: David Necpal <dnecpal>
Severity: low Docs Contact:
Priority: low    
Version: ---CC: bugs, didi, eedri, lsurette, lsvaty, rbalakri, sbonazzo, srevivo, ykaul, ylavi
Target Milestone: ovirt-4.2.0Keywords: EasyFix, FutureFeature, Improvement
Target Release: 4.2.0Flags: sbonazzo: ovirt-4.2?
dnecpal: testing_plan_complete-
ylavi: planning_ack?
sbonazzo: devel_ack+
lsvaty: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 11:19:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Caro 2014-09-25 13:57:37 UTC 
Description of problem:
With the new patch http://gerrit.ovirt.org/#/c/33085/4 the user can review the iptables rules that will be changed, but there's no way to just show them without requiring interaction from the user.
It can be helpful if there was a way to just show the diff without needing interaction, mostly for automated tests and automated setup processes.


Version-Release number of selected component (if applicable):
3.6.0

How reproducible:
Run engine setup with the OVESETUP_CONFIG/skipFirewallReview option set to bool:True

Steps to Reproduce:
1.Run engine setup with the OVESETUP_CONFIG/skipFirewallReview option set to bool:True
2.
3.

Actual results:
You are shown the iptables diff and asked to accept

Expected results:
You should be able to specify an option to just show the diff without requiring feedback.

Additional info:
Comment 1 David Caro 2014-09-25 13:58:46 UTC 
Oops, the option

Run engine setup with the OVESETUP_CONFIG/skipFirewallReview has to be set to bool:False or not set at all for it to show the diff and ask for ack.
Comment 2 Yedidyah Bar David 2014-09-30 07:51:12 UTC 
IMO, if it's just to give info to the user, better just write in closeup:

"iptables configuration was changed. more details in the log" (or, backup file is here, etc).

If it's for automated testing, then I object. Automated testing should not rely on a product saying "I changed this to that", it should check if indeed it did that...
Comment 3 David Caro 2014-10-01 10:41:26 UTC 
The idea is not to have it on specific automated tests that check any firewall rules, but to have it enabled on all of them to have some extra information by default in the usual log in case it fails.

It also might help on manual installations for integration test environments, where you are not specifically checking the firewall rules, but having it print some information about it might alert the person running the setup that something is odd.
Comment 10 David Necpal 2017-09-07 15:23:32 UTC 
Please verification steps.
Comment 11 Yedidyah Bar David 2017-09-10 06:37:09 UTC 
(In reply to David Necpal from comment #10)
> Please verification steps.

Basic flow
==========

1. Install and activate iptables-services

2. Install engine

3. Run engine-setup

4. Accept to configure the firewall

5. If prompted, choose iptables

6. You should be prompted:

    Generated iptables rules are different from current ones.
    Do you want to review them? (Yes, No) [No]:

Reply Yes.

7. It should output:

    Please review the changes:
    {diff}
    Do you want to proceed with firewall configuration? (Yes, No) [Yes]:

Where {diff} is the difference between your current iptables rules and the new ones.

Now kill engine-setup with ^C. It should exit, and (also) tell you:

    Generating answer file {ans}

8. run engine-setup --config-append={ans}

where {ans} is the answer file generated at (7.)

9. Without this bug (e.g. in 4.1), engine-setup will not show you the difference. With current 4.2, it should output:

    These are the changes that will be applied to iptables configuration:
    {diff}

Alternate flow 1
================

Replace step 3 with:

engine-setup --otopi-environment=OVESETUP_CONFIG/firewallChangesReview=bool:True

and continue until step 7. You should see the behavior of step 9.

Alternate flow 2
================

1. Install and activate firewalld, install and setup engine with firewalld.

2. Install and activate iptables-services.

3. Run:

engine-setup --offline --otopi-environment=OVESETUP_CONFIG/firewallChangesReview=bool:True

You should see the behavior of step 9.
Comment 12 David Necpal 2017-09-11 13:24:53 UTC 
After retest verified on version:
ovirt-engine-4.2.0-0.0.master.20170907100709.git14accac.el7.centos.noarch

Verified based on suggested steps from comment #11
Comment 13 Sandro Bonazzola 2017-12-20 11:19:02 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.