In one of my last articles I described the example of installing HP System Management Tools to the physical server HP ProLiant DL360 G5 with CentOS Linux 7.2. After a while, the same exact server was used as a virtualization host and the oVirt Hosted Engine components were deployed on it. The host was put into maintenance mode recently, all packages were upgraded from the online repository, including the HP tool pack installed on it.
After the installation, I decided to check the workability of the upgraded tools. I also tried to open the web page of HP System Management homepage, but I didn’t succeed, because the host was simply blocking TCP port 2381.
Firewalld service was stopped on the host and the iptables was loaded with a set of rules, which was typical for oVirt. Moreover, the rules on all oVirt hosts, which I was deploying with the oVirt Engine web console, were the same.
In order to edit the rules, which are shared and centralized to all hosts from the oVirt Engine, we need to use the
engine-config tool within the Engine server.
engine-config tool has a large set of keys, which set the oVirt infrastructure configuration. Let’s look at the oVirt configuration keys associated with the iptables setting:
# engine-config --list | grep -i iptables IPTablesConfig: "iptables configuration" (Value Type: String) IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig" (Value Type: String)
As we can see, we have two keys. In the
IPTablesConfig key there are all the rules, which are shared centrally by the Engine server to the hosts. And the
IPTablesConfigSiteCustom key can contain additional rules. These additional rules may be used in one or the other infrastructure.
Let’s take a look at the current host configuration in
# engine-config --get IPTablesConfig IPTablesConfig: # oVirt default firewall configuration. Automatically generated by vdsm bootstrap script. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # vdsm -A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT # ovirt-imageio-daemon -A INPUT -p tcp --dport 54322 -j ACCEPT # rpc.statd -A INPUT -p tcp --dport 111 -j ACCEPT -A INPUT -p udp --dport 111 -j ACCEPT # SSH -A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT # snmp -A INPUT -p udp --dport 161 -j ACCEPT # Cockpit -A INPUT -p tcp --dport 9090 -j ACCEPT @CUSTOM_RULES@ # Reject any other input traffic -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited COMMIT version: general
There’s a variable
@CUSTOM_RULES@ in the rules. When you form rules at the destination host, the content of
IPTablesConfigSiteCustom key will replace
Thus, in order to add your own custom rules to the general iptables configuration, you can use
engine-config in the following way:
# engine-config --set IPTablesConfigSiteCustom=' -A INPUT -p tcp --dport 2301 -m comment --comment "HPE System Management Homepage" -j ACCEPT -A INPUT -p tcp --dport 2381 -m comment --comment "HPE System Management Homepage (Secure port)" -j ACCEPT
In this command, it’s important to follow the same order of lines and line breaks as shown in the example.
Let’s check the result to see what happened to
# engine-config --get IPTablesConfigSiteCustom IPTablesConfigSiteCustom: -A INPUT -p tcp --dport 2301 -m comment --comment "HPE System Management Homepage" -j ACCEPT -A INPUT -p tcp --dport 2381 -m comment --comment "HPE System Management Homepage (Secure port)" -j ACCEPT version: general
As we can see, every rule is on its individual line and is not mixed up with service records. After editing the configuration, let’s restart
ovirt-engine service and make sure that no errors will occur while starting it:
# service ovirt-engine restart
The oVirt Engine configuration is now up-to-date and our custom iptables rules will now be added to the new hosts. But what to do with already deployed and working hosts?
As far as I understood, the main suggested method of upgrading the configuration of the existing hosts is to Reinstall from oVirt Engine web console. To do this, you need to put the chosen host in Maintenance mode by choosing on the shortcut menu on the toolbar:
When the host is in the Maintenance mode, you can Reinstall it:
Meanwhile, in the reinstallation parameters dialog, turn on the Automatically configure host firewall option, which will let our custom iptables rules go to the host, and don’t forget to turn on DEPLOY option on the Hosted Engine tab if needed:
As practice shows, the process of this reinstallation is fast enough, so after a few minutes we can make the host work again, but with our new custom iptables rules.
However, if you for some reason don’t have an opportunity or desire to do the oVirt hosts reinstallation, but you really want to add your rules, you can do it manually by adding to the hosts at the end of the file
/etc/sysconfig/iptables before the line with the rule of resetting all incoming connections (
-A INPUT -j REJECT…):
Allow HPE System Management Homepage -A INPUT -p tcp --dport 2301 -m comment --comment "HPE System Management Homepage" -j ACCEPT -A INPUT -p tcp --dport 2381 -m comment --comment "HPE System Management Homepage (Secure port)" -j ACCEPT # Reject any other input traffic -A INPUT -j REJECT --reject-with icmp-host-prohibited ...
This editing will let you save your own rules between the host reboots, but it will return to the previous after another Upgrade or Reinstall of the host from the oVirt Engine web console, so editing the centralized configuration with the
engine-config tool is necessary anyway.