Bug 1191074 - [RFE][HC] make override of iptables configurable when using hosted-engine
Summary: [RFE][HC] make override of iptables configurable when using hosted-engine
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-setup
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-3.6.0-rc
: 3.6.0
Assignee: Sandro Bonazzola
QA Contact: Nikolai Sednev
URL:
Whiteboard:
Depends On: 1080823
Blocks: Hosted_Engine_HC
TreeView+ depends on / blocked
 
Reported: 2015-02-10 12:46 UTC by Sandro Bonazzola
Modified: 2016-03-09 19:07 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Previously, user defined iptables rules were overwritten when the host was added to the Manager and the automatic configuration of the firewall was turned off. Now, when the automatic configuration of the firewall is turned off the iptables rules will not be rewritten.
Clone Of: 1080823
: 1192462 (view as bug list)
Environment:
Last Closed: 2016-03-09 19:07:55 UTC
oVirt Team: Integration
Target Upstream Version:
sherold: Triaged+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1192462 high CLOSED [RFE][HC] make override of iptables configurable when using hosted-engine 2020-10-14 00:28:05 UTC
Red Hat Product Errata RHEA-2016:0375 normal SHIPPED_LIVE ovirt-hosted-engine-setup bug fix and enhancement update 2016-03-09 23:48:34 UTC
oVirt gerrit 37535 None None None Never
oVirt gerrit 37660 ovirt-hosted-engine-setup-1.2 MERGED packaging: setup: allow to disable iptables overriding Never

Internal Links: 1192462

Description Sandro Bonazzola 2015-02-10 12:46:11 UTC
+++ This bug was initially created as a clone of Bug #1080823 +++

Description of problem:

current behaviour is to always rewrite iptables, which may brake
existing rules
Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
it's always set - ' override_iptables=True '
http://gerrit.ovirt.org/gitweb?p=ovirt-hosted-engine-setup.git;a=blob;f=src/plugins/ovirt-hosted-engine-setup/engine/add_host.py

Expected results:
make it work :)

Additional info:
See this ML - Thread:
http://lists.ovirt.org/pipermail/users/2014-March/022674.html

--- Additional comment from Giuseppe Ragusa on 2014-03-26 15:23:07 EDT ---

(In reply to Sven Kieske from comment #0)
> Description of problem:
> 
> current behaviour is to always rewrite iptables, which may brake
> existing rules
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1.
> 2.
> 3.
> 
> Actual results:
> it's always set - ' override_iptables=True '
> http://gerrit.ovirt.org/gitweb?p=ovirt-hosted-engine-setup.git;a=blob;f=src/
> plugins/ovirt-hosted-engine-setup/engine/add_host.py
> 
> Expected results:
> make it work :)
> 
> Additional info:
> See this ML - Thread:
> http://lists.ovirt.org/pipermail/users/2014-March/022674.html

Please note that the ML mentioned workaround of using the checkbox from web interface while adding a new node is not applicable to automatic first-node enrollment during self-hosted-engine setup.

--- Additional comment from Sandro Bonazzola on 2014-04-16 09:18:13 EDT ---

Proposal:

When hosted-engine --deploy detect firewall managers and ask

iptables was detected on your computer, do you wish setup to configure it? (Yes, No)[Yes]:

if you answer "no" it should ask:

do you want to prevent automatic configuration on this host? (Yes, No)[Yes]:

and if you answer yes it should take care of creating /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the host requesting
iptables configuration.

--- Additional comment from Yedidyah Bar David on 2014-04-22 03:20:31 EDT ---

(In reply to Sandro Bonazzola from comment #2)
> Proposal:
> 
> When hosted-engine --deploy detect firewall managers and ask
> 
> iptables was detected on your computer, do you wish setup to configure it?
> (Yes, No)[Yes]:
> 
> if you answer "no" it should ask:
> 
> do you want to prevent automatic configuration on this host? (Yes, No)[Yes]:

Well, I am not really certain we need another question for this.

Can you think of a scenario where a user will provide different answers to them?

> 
> and if you answer yes it should take care of creating
> /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the
> host requesting
> iptables configuration.

I think that if the answer is yes it should call engine_api.hosts.add with 'override_iptables=False'. Adding the file was suggested just as a workaround.

--- Additional comment from Sandro Bonazzola on 2014-08-13 04:20:12 EDT ---

Comment 2 Sandro Bonazzola 2015-02-20 11:07:59 UTC
Automated message: can you please update doctext or set it as not required?

Comment 3 Simone Tiraboschi 2015-03-26 15:17:16 UTC
OVEHOSTED_NETWORK/firewallManager=bool:False should be enough to disable firewall configuration from an answerfile

Comment 4 Ilanit Stein 2015-05-10 07:52:40 UTC
For RFE verification:
It can be tested on 3.6.0-1 or on 3.6.0 alpha (3.6.0-2).
Simple HE deploy, no HC required, also single host is enough.
Upstream (Ovirt) engine and RHEL7.1/7.0 host is OK.

Comment 5 Nikolai Sednev 2015-05-11 08:22:06 UTC
Works for me on these components:
Engine:
ovirt-engine-dwh-setup-3.6.0-0.0.master.20150409095321.20150409094743.git74a02ca.el6.noarch
ovirt-engine-userportal-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-dbscripts-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-reports-3.6.0-0.0.master.20150412080916.20150412080223.git6ea1358.el6.noarch
ovirt-engine-cli-3.6.0.0-0.2.20150225.gitff5c4e8.el6.noarch
ovirt-engine-extensions-api-impl-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-dwh-3.6.0-0.0.master.20150409095321.20150409094743.git74a02ca.el6.noarch
ovirt-engine-setup-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-webadmin-portal-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-backend-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-restapi-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-reports-setup-3.6.0-0.0.master.20150412080916.20150412080223.git6ea1358.el6.noarch
ovirt-engine-sdk-python-3.6.0.0-0.11.20150406.gitd4f1dd0.el6.noarch
ovirt-engine-lib-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-setup-base-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-setup-plugin-ovirt-engine-common-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-websocket-proxy-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-setup-plugin-ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-tools-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
ovirt-engine-jboss-as-7.1.1-1.el6.x86_64
ovirt-engine-setup-plugin-websocket-proxy-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch
Red Hat Enterprise Linux Server release 6.6 (Santiago)

Host:
ovirt-release-master-001-0.7.master.noarch
ovirt-host-deploy-1.4.0-0.0.master.20150505205623.giteabc23b.el7.noarch
vdsm-4.17.0-743.gite5856da.el7.x86_64
ovirt-hosted-engine-setup-1.3.0-0.0.master.20150505102602.gitb2151c7.el7.noarch
sanlock-3.2.2-2.el7.x86_64
qemu-kvm-rhev-2.1.2-23.el7_1.2.x86_64
mom-0.4.3-1.el7.noarch
ovirt-hosted-engine-ha-1.3.0-0.0.master.20150424113553.20150424113551.git7c14f4c.el7.noarch
ovirt-engine-sdk-python-3.6.0.0-0.12.20150506.git1066fb3.el7.centos.noarch
libvirt-client-1.2.8-16.el7_1.2.x86_64
Red Hat Enterprise Linux Server release 7.1 (Maipo)

Comment 9 errata-xmlrpc 2016-03-09 19:07:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0375.html


Note You need to log in before you can comment on or make changes to this bug.