On Thu, Nov 24, 2016 at 1:10 PM, <aleksey.maksi...@it-kb.ru> wrote: > Thank you Didi. > > The proposed method works. > I described my experience here: > https://blog.it-kb.ru/2016/11/24/extension-of-iptables-add-custom-rules-on-the-ovirt-4-0-hosts/
Thanks for this post, and the report! (although I can't read Russian). Best, > > 23.11.2016, 16:12, "Yedidyah Bar David" <d...@redhat.com>: >> On Wed, Nov 23, 2016 at 1:54 PM, <aleksey.maksi...@it-kb.ru> wrote: >>> "As I wrote there, you can also do this manually" >>> >>> How? >> >> I am not sure I understand the question. >> >> The same way you configure iptables on non-oVirt-hosts machines. >> >> If you mean "How to imitate the way the engine does this during >> host deploy", then I don't know - you can check engine sources >> for that. I am guessing that you can get the values of IPTablesConfig >> and IPTablesConfigSiteCustom with engine-config, replace inside the >> latter "@CUSTOM_RULES@" with the contents of the former, then copy >> the result to the host and load it with iptables-restore (and/or >> copy to /etc/sysconfig/iptables and restart iptables service). >> >>> 23.11.2016, 14:23, "Yedidyah Bar David" <d...@redhat.com>: >>>> On Wed, Nov 23, 2016 at 12:51 PM, <aleksey.maksi...@it-kb.ru> wrote: >>>>> Hi Didi! >>>>> >>>>> https://www.mail-archive.com/users@ovirt.org/msg37193.html >>>>> >>>>> "Move to maintenance and reinstall" to add the iptables rules ? >>>>> >>>>> Are you serious? >>>>> >>>>> There is no other way (without reinstalling the hosts) ? >>>> >>>> AFAIK, using ovirt-host-deploy, no. >>>> >>>> I am not aware of an engine API or vdsm verb to do this, but these are >>>> not my main area of expertise. >>>> >>>> As I wrote there, you can also do this manually. >>>> >>>> The oVirt engine is not a replacement for configuration management >>>> systems. If you have complex needs, might as well uncheck this >>>> checkbox and use other means. >>>> >>>> Best, >>>> >>>>> 23.11.2016, 13:07, "Yedidyah Bar David" <d...@redhat.com>: >>>>>> On Wed, Nov 23, 2016 at 12:02 PM, <aleksey.maksi...@it-kb.ru> wrote: >>>>>>> Hmm. I just rebooted the host, but the iptables rules have not been >>>>>>> updated :( >>>>>>> >>>>>>> On Engine server my custom iptables rules are visible: >>>>>>> >>>>>>> # engine-config --get IPTablesConfigSiteCustom >>>>>>> >>>>>>> IPTablesConfigSiteCustom: >>>>>>> -A INPUT -p tcp --dport 2301 -j ACCEPT -m comment --comment 'HPE >>>>>>> System Management Homepage' >>>>>>> -A INPUT -p tcp --dport 2381 -j ACCEPT -m comment --comment 'HPE >>>>>>> System Management Homepage (Secure port)' >>>>>>> version: general >>>>>>> >>>>>>> How to update the configuration on the hosts ? >>>>>>> >>>>>>> 23.11.2016, 11:30, "aleksey.maksi...@it-kb.ru" >>>>>>> <aleksey.maksi...@it-kb.ru>: >>>>>>>> Hello oVirt guru`s ! >>>>>>>> >>>>>>>> oVirt Engine Version: 4.0.5.5-1.el7.centos >>>>>>>> >>>>>>>> I updated the configuration of the firewall on the Engine server >>>>>>>> with "engine-config --set IPTablesConfigSiteCustom...". >>>>>>>> How to notify cluster nodes (all virtualization hosts) about the >>>>>>>> changes without reboot? >>>>>> >>>>>> Please check the other thread here "[ovirt-users] Hook to add firewall >>>>>> rules". Thanks. >>>>>> >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> Users@ovirt.org >>>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>>> -- >>>>>> Didi >>>> >>>> -- >>>> Didi >> >> -- >> Didi -- Didi _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users