In 4.2 release we have introduced a possibility to customize the host-deploy process by running the Ansible post-tasks after the host-deploy process successfully finishes.

The reason

Prior to oVirt 4.2 release administrators could customize host’s firewall rules using engine-config option IPTablesConfigSiteCustom.
Unfortunately writing custom iptables rules into string value to be used in engine-config was very user unfriendly and using engine-config to provide custom
firewalld rules would be even much worse. Because of above we have introduced Ansible integration as a part of host deploy flow, which allows administrators to
add any custom actions executed on the host during host deploy flow.

Special tasks file

As part of this role we also include additional tasks, which could be written by the user, to modify the host-deploy
process for example to open some more FirewallD ports.

Those additional tasks can be added to following file:


This post-task file is executed as part of host-deploy process just before setup network invocation.


An example post-tasks file is provided by ovirt-engine installation, at following location:


This is just an example file, to add some task into host deploy flow, you need to create below mentioned file and add some proper Ansible custom tasks:

$ touch /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml

Now let’s add some tasks which should be executed on the host.
Note that you can call any Ansible task, not only firewalld task.

$ cat << EOF >> /etc/ovirt-engine/ansible/ovirt-host-deploy-post-tasks.yml
> ---
> - name: Enable custom firewall port
>   firewalld:
>     port: "12345/tcp"
>     permanent: yes
>     immediate: yes
>     state: enabled
> - name: Print debug information
>   debug:
>     msg: "My custom tasks was successfully executed!"

When you add new host or reinstall an existing host, you may see the installation logs in /var/log/ovirt-engine/host-deploy/ directory.
Ansible specific log files has -ansible suffix. In events view you can see relevant log file path for the specific host installation or

Note that host’s firewall type iptables is deprecated in version 4.2 and will be removed in version 4.3