+++ This bug was initially created as a clone of Bug #1080823 +++ Description of problem: current behaviour is to always rewrite iptables, which may brake existing rules Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: it's always set - ' override_iptables=True ' http://gerrit.ovirt.org/gitweb?p=ovirt-hosted-engine-setup.git;a=blob;f=src/plugins/ovirt-hosted-engine-setup/engine/add_host.py Expected results: make it work :) Additional info: See this ML - Thread: http://lists.ovirt.org/pipermail/users/2014-March/022674.html --- Additional comment from Giuseppe Ragusa on 2014-03-26 15:23:07 EDT --- (In reply to Sven Kieske from comment #0) > Description of problem: > > current behaviour is to always rewrite iptables, which may brake > existing rules > Version-Release number of selected component (if applicable): > > > How reproducible: > always > > Steps to Reproduce: > 1. > 2. > 3. > > Actual results: > it's always set - ' override_iptables=True ' > http://gerrit.ovirt.org/gitweb?p=ovirt-hosted-engine-setup.git;a=blob;f=src/ > plugins/ovirt-hosted-engine-setup/engine/add_host.py > > Expected results: > make it work :) > > Additional info: > See this ML - Thread: > http://lists.ovirt.org/pipermail/users/2014-March/022674.html Please note that the ML mentioned workaround of using the checkbox from web interface while adding a new node is not applicable to automatic first-node enrollment during self-hosted-engine setup. --- Additional comment from Sandro Bonazzola on 2014-04-16 09:18:13 EDT --- Proposal: When hosted-engine --deploy detect firewall managers and ask iptables was detected on your computer, do you wish setup to configure it? (Yes, No)[Yes]: if you answer "no" it should ask: do you want to prevent automatic configuration on this host? (Yes, No)[Yes]: and if you answer yes it should take care of creating /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the host requesting iptables configuration. --- Additional comment from Yedidyah Bar David on 2014-04-22 03:20:31 EDT --- (In reply to Sandro Bonazzola from comment #2) > Proposal: > > When hosted-engine --deploy detect firewall managers and ask > > iptables was detected on your computer, do you wish setup to configure it? > (Yes, No)[Yes]: > > if you answer "no" it should ask: > > do you want to prevent automatic configuration on this host? (Yes, No)[Yes]: Well, I am not really certain we need another question for this. Can you think of a scenario where a user will provide different answers to them? > > and if you answer yes it should take care of creating > /etc/ovirt-host-deploy.conf.d/99-prevent-iptables.conf and avoid to add the > host requesting > iptables configuration. I think that if the answer is yes it should call engine_api.hosts.add with 'override_iptables=False'. Adding the file was suggested just as a workaround. --- Additional comment from Sandro Bonazzola on 2014-08-13 04:20:12 EDT ---
Automated message: can you please update doctext or set it as not required?
OVEHOSTED_NETWORK/firewallManager=bool:False should be enough to disable firewall configuration from an answerfile
For RFE verification: It can be tested on 3.6.0-1 or on 3.6.0 alpha (3.6.0-2). Simple HE deploy, no HC required, also single host is enough. Upstream (Ovirt) engine and RHEL7.1/7.0 host is OK.
Works for me on these components: Engine: ovirt-engine-dwh-setup-3.6.0-0.0.master.20150409095321.20150409094743.git74a02ca.el6.noarch ovirt-engine-userportal-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-dbscripts-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-reports-3.6.0-0.0.master.20150412080916.20150412080223.git6ea1358.el6.noarch ovirt-engine-cli-3.6.0.0-0.2.20150225.gitff5c4e8.el6.noarch ovirt-engine-extensions-api-impl-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-dwh-3.6.0-0.0.master.20150409095321.20150409094743.git74a02ca.el6.noarch ovirt-engine-setup-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-webadmin-portal-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-backend-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-restapi-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-reports-setup-3.6.0-0.0.master.20150412080916.20150412080223.git6ea1358.el6.noarch ovirt-engine-sdk-python-3.6.0.0-0.11.20150406.gitd4f1dd0.el6.noarch ovirt-engine-lib-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-setup-base-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-setup-plugin-ovirt-engine-common-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-websocket-proxy-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-setup-plugin-ovirt-engine-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-tools-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch ovirt-engine-jboss-as-7.1.1-1.el6.x86_64 ovirt-engine-setup-plugin-websocket-proxy-3.6.0-0.0.master.20150412172306.git55ba764.el6.noarch Red Hat Enterprise Linux Server release 6.6 (Santiago) Host: ovirt-release-master-001-0.7.master.noarch ovirt-host-deploy-1.4.0-0.0.master.20150505205623.giteabc23b.el7.noarch vdsm-4.17.0-743.gite5856da.el7.x86_64 ovirt-hosted-engine-setup-1.3.0-0.0.master.20150505102602.gitb2151c7.el7.noarch sanlock-3.2.2-2.el7.x86_64 qemu-kvm-rhev-2.1.2-23.el7_1.2.x86_64 mom-0.4.3-1.el7.noarch ovirt-hosted-engine-ha-1.3.0-0.0.master.20150424113553.20150424113551.git7c14f4c.el7.noarch ovirt-engine-sdk-python-3.6.0.0-0.12.20150506.git1066fb3.el7.centos.noarch libvirt-client-1.2.8-16.el7_1.2.x86_64 Red Hat Enterprise Linux Server release 7.1 (Maipo)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0375.html