oVirt Blog — oVirt

In one of my last articles I described the example of installing HP System Management Tools to the physical server HP ProLiant DL360 G5 with CentOS Linux 7.2. After a while, the same exact server was used as a virtualization host and the oVirt Hosted Engine components were deployed on it. The host was put into maintenance mode recently, all packages were upgraded from the online repository, including the HP tool pack installed on it.

After the installation, I decided to check the workability of the upgraded tools. I also tried to open the web page of HP System Management homepage, but I didn’t succeed, because the host was simply blocking TCP port 2381.

Firewalld service was stopped on the host and the iptables was loaded with a set of rules, which was typical for oVirt. Moreover, the rules on all oVirt hosts, which I was deploying with the oVirt Engine web console, were the same.

In order to edit the rules, which are shared and centralized to all hosts from the oVirt Engine, we need to use the engine-config tool within the Engine server.

The engine-config tool has a large set of keys, which set the oVirt infrastructure configuration. Let’s look at the oVirt configuration keys associated with the iptables setting:

# engine-config --list | grep -i iptables

IPTablesConfig: "iptables configuration" (Value Type: String)
IPTablesConfigSiteCustom: "iptables site custom configuration, appended to IPTablesConfig" (Value Type: String)

As we can see, we have two keys. In the IPTablesConfig key there are all the rules, which are shared centrally by the Engine server to the hosts. And the IPTablesConfigSiteCustom key can contain additional rules. These additional rules may be used in one or the other infrastructure.

Let’s take a look at the current host configuration in IPTablesConfig:

# engine-config --get IPTablesConfig

IPTablesConfig:
# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# vdsm
-A INPUT -p tcp --dport @VDSM_PORT@ -j ACCEPT
# ovirt-imageio-daemon
-A INPUT -p tcp --dport 54322 -j ACCEPT
# rpc.statd
-A INPUT -p tcp --dport 111 -j ACCEPT
-A INPUT -p udp --dport 111 -j ACCEPT
# SSH
-A INPUT -p tcp --dport @SSH_PORT@ -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT
# Cockpit
-A INPUT -p tcp --dport 9090 -j ACCEPT

@CUSTOM_RULES@

# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT
version: general

There’s a variable @CUSTOM_RULES@ in the rules. When you form rules at the destination host, the content of IPTablesConfigSiteCustom key will replace @CUSTOM_RULES@.

Thus, in order to add your own custom rules to the general iptables configuration, you can use engine-config in the following way:

# engine-config --set IPTablesConfigSiteCustom='
-A INPUT -p tcp --dport 2301 -m comment --comment "HPE System Management Homepage" -j ACCEPT
-A INPUT -p tcp --dport 2381 -m comment --comment "HPE System Management Homepage (Secure port)" -j ACCEPT

In this command, it’s important to follow the same order of lines and line breaks as shown in the example.

Let’s check the result to see what happened to IPTablesConfigSiteCustom:

# engine-config --get IPTablesConfigSiteCustom

IPTablesConfigSiteCustom:
-A INPUT -p tcp --dport 2301 -m comment --comment "HPE System Management Homepage" -j ACCEPT
-A INPUT -p tcp --dport 2381 -m comment --comment "HPE System Management Homepage (Secure port)" -j ACCEPT
 version: general

As we can see, every rule is on its individual line and is not mixed up with service records. After editing the configuration, let’s restart ovirt-engine service and make sure that no errors will occur while starting it:

# service ovirt-engine restart

The oVirt Engine configuration is now up-to-date and our custom iptables rules will now be added to the new hosts. But what to do with already deployed and working hosts?

As far as I understood, the main suggested method of upgrading the configuration of the existing hosts is to Reinstall from oVirt Engine web console. To do this, you need to put the chosen host in Maintenance mode by choosing on the shortcut menu on the toolbar:

Shortcut menu

When the host is in the Maintenance mode, you can Reinstall it:

Reinstall command

Meanwhile, in the reinstallation parameters dialog, turn on the Automatically configure host firewall option, which will let our custom iptables rules go to the host, and don’t forget to turn on DEPLOY option on the Hosted Engine tab if needed:

Install Host dialog

As practice shows, the process of this reinstallation is fast enough, so after a few minutes we can make the host work again, but with our new custom iptables rules.

However, if you for some reason don’t have an opportunity or desire to do the oVirt hosts reinstallation, but you really want to add your rules, you can do it manually by adding to the hosts at the end of the file /etc/sysconfig/iptables before the line with the rule of resetting all incoming connections (-A INPUT -j REJECT…):

Allow HPE System Management Homepage
-A INPUT -p tcp --dport 2301 -m comment --comment "HPE System Management Homepage" -j ACCEPT
-A INPUT -p tcp --dport 2381 -m comment --comment "HPE System Management Homepage (Secure port)" -j ACCEPT

# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
...

This editing will let you save your own rules between the host reboots, but it will return to the previous after another Upgrade or Reinstall of the host from the oVirt Engine web console, so editing the centralized configuration with the engine-config tool is necessary anyway.