[ovirt-users] Re: iptables with 4.3+?
On Thu, Jul 4, 2019 at 10:20 PM Darrell Budic wrote: > > I’m in the same boat, puppet managing iptables rules, and was able to > continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all the > time, but so far it hasn’t broken anything. In "complains all the time" you mean that it asks "Do you want Setup to configure the firewall? "? If you reply 'No', it shouldn't do anything at all to the firewall. If you reply 'Yes' and it breaks stuff, please report a bug. Thanks. If you want to get rid of this question, you can add to your answerfile (or your own custom .conf file in /etc/ovirt-engine-setup.conf.d/ ): OVESETUP_CONFIG/updateFirewall=bool:False See also: https://www.ovirt.org/develop/developer-guide/engine/engine-setup.html > -Darrell > > > > On Jul 4, 2019, at 9:38 AM, Jordan Conway > > wrote: > > > > Hello, > > I'm working on migrating an existing ovirt setup to a new hosted-engine > > setup and I've been seeing messages about iptables support being deprecated > > and slated to be removed. > > Can I continue using iptables to manage the firewalls on my ovirt hosts if > > I don't care about allowing ovirt to configure the firewalls? I think you can. > > We manage all of our machines with puppet and iptables is deeply integrated > > into this. It would be non-trivial to migrate to firewalld support. > > As it stands I already manage the firewall rules for our ovirt hosts with > > puppet and iptables and have always ignored the "Automatically Configure > > Firewall" option when adding new hosts. Will this continue to work? > > > > Also with hosted engine, I had to cowboy enable firewalld to get the engine > > installed, but now that I've got a cluster up and running with hosted > > engine enabled on several hosts, can I just switch back from firewalld to > > iptables assuming I've got all the correct ports open? I think it's only enforced during initial setup, as you saw yourself - see also: https://bugzilla.redhat.com/show_bug.cgi?id=1608467 Best regards, -- Didi ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/UCOVTFWJUR74PU3GEH6WUGVXYQAZGZWN/
[ovirt-users] Re: iptables with 4.3+?
Firewalld was deployed in EL7 , because they got plans of getting rid of iptables. With EL8 , we got only emulation of iptables for backward compatibility. Also the integration between NetworkManager.service and firewalld is quite good - which is another reason behind that. Last but not least, in the enterprise almost all systems are with firewalld down and behind hardware-based appliances and keeping the complex filtering away of the systems. Thus firewalld is nice for simple tasks, while complex tasks require nftables ... It makes sense and we have to deal with the changes or get extended support for as long as possible :) Best Regards, Strahil NikolovOn Jul 10, 2019 18:13, Michael Watters wrote: > > Same here. Our engine is configured to use iptables and works fine. I > really wish RedHat would stop trying to force firewalld on everything. > It isn't needed and causes issues with environments using the > puppetlabs-firewall module. > > On 7/4/19 3:17 PM, Darrell Budic wrote: > > I’m in the same boat, puppet managing iptables rules, and was able to > > continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all > > the time, but so far it hasn’t broken anything. > > > > -Darrell > > > > > >> On Jul 4, 2019, at 9:38 AM, Jordan Conway > >> wrote: > >> > >> Hello, > >> I'm working on migrating an existing ovirt setup to a new hosted-engine > >> setup and I've been seeing messages about iptables support being > >> deprecated and slated to be removed. > >> Can I continue using iptables to manage the firewalls on my ovirt hosts if > >> I don't care about allowing ovirt to configure the firewalls? > >> We manage all of our machines with puppet and iptables is deeply > >> integrated into this. It would be non-trivial to migrate to firewalld > >> support. > >> As it stands I already manage the firewall rules for our ovirt hosts with > >> puppet and iptables and have always ignored the "Automatically Configure > >> Firewall" option when adding new hosts. Will this continue to work? > >> > >> Also with hosted engine, I had to cowboy enable firewalld to get the > >> engine installed, but now that I've got a cluster up and running with > >> hosted engine enabled on several hosts, can I just switch back from > >> firewalld to iptables assuming I've got all the correct ports open? > >> > >> Thank you, > >> Jordan Conway > >> ___ > >> Users mailing list -- users@ovirt.org > >> To unsubscribe send an email to users-le...@ovirt.org > >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > >> oVirt Code of Conduct: > >> https://www.ovirt.org/community/about/community-guidelines/ > >> List Archives: > >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKAOGHSR5PBOC5CL5YMXZCR4/ > >> > > ___ > > Users mailing list -- users@ovirt.org > > To unsubscribe send an email to users-le...@ovirt.org > > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > > oVirt Code of Conduct: > > https://www.ovirt.org/community/about/community-guidelines/ > > List Archives: > > https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HKXXY6KFVICSGFYAPTKTYPRUWCF35FU/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/QBDHDHEC7FNQEN2XZ53UXPUT7FEOHWBD/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JGSZ2YGWCCVUJJN4HBM5GYRYPOU6MMK7/
[ovirt-users] Re: iptables with 4.3+?
Same here. Our engine is configured to use iptables and works fine. I really wish RedHat would stop trying to force firewalld on everything. It isn't needed and causes issues with environments using the puppetlabs-firewall module. On 7/4/19 3:17 PM, Darrell Budic wrote: > I’m in the same boat, puppet managing iptables rules, and was able to > continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all the > time, but so far it hasn’t broken anything. > > -Darrell > > >> On Jul 4, 2019, at 9:38 AM, Jordan Conway >> wrote: >> >> Hello, >> I'm working on migrating an existing ovirt setup to a new hosted-engine >> setup and I've been seeing messages about iptables support being deprecated >> and slated to be removed. >> Can I continue using iptables to manage the firewalls on my ovirt hosts if I >> don't care about allowing ovirt to configure the firewalls? >> We manage all of our machines with puppet and iptables is deeply integrated >> into this. It would be non-trivial to migrate to firewalld support. >> As it stands I already manage the firewall rules for our ovirt hosts with >> puppet and iptables and have always ignored the "Automatically Configure >> Firewall" option when adding new hosts. Will this continue to work? >> >> Also with hosted engine, I had to cowboy enable firewalld to get the engine >> installed, but now that I've got a cluster up and running with hosted engine >> enabled on several hosts, can I just switch back from firewalld to iptables >> assuming I've got all the correct ports open? >> >> Thank you, >> Jordan Conway >> ___ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: >> https://www.ovirt.org/community/about/community-guidelines/ >> List Archives: >> https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKAOGHSR5PBOC5CL5YMXZCR4/ > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HKXXY6KFVICSGFYAPTKTYPRUWCF35FU/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/QBDHDHEC7FNQEN2XZ53UXPUT7FEOHWBD/
[ovirt-users] Re: iptables with 4.3+?
I’m in the same boat, puppet managing iptables rules, and was able to continue forcing it on my 4.3.x ovirt systems. Engine-setup complains all the time, but so far it hasn’t broken anything. -Darrell > On Jul 4, 2019, at 9:38 AM, Jordan Conway wrote: > > Hello, > I'm working on migrating an existing ovirt setup to a new hosted-engine setup > and I've been seeing messages about iptables support being deprecated and > slated to be removed. > Can I continue using iptables to manage the firewalls on my ovirt hosts if I > don't care about allowing ovirt to configure the firewalls? > We manage all of our machines with puppet and iptables is deeply integrated > into this. It would be non-trivial to migrate to firewalld support. > As it stands I already manage the firewall rules for our ovirt hosts with > puppet and iptables and have always ignored the "Automatically Configure > Firewall" option when adding new hosts. Will this continue to work? > > Also with hosted engine, I had to cowboy enable firewalld to get the engine > installed, but now that I've got a cluster up and running with hosted engine > enabled on several hosts, can I just switch back from firewalld to iptables > assuming I've got all the correct ports open? > > Thank you, > Jordan Conway > ___ > Users mailing list -- users@ovirt.org > To unsubscribe send an email to users-le...@ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CFKUWD44EKAOGHSR5PBOC5CL5YMXZCR4/ ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/7HKXXY6KFVICSGFYAPTKTYPRUWCF35FU/