Re: firewall rules on builders (iptables, firewalld, libvirt...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 28 October 2014 08:04, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote:
It's my understanding (Dennis please correct if I'm wrong) that the
problem with cloud image creation was due to libvirt iptables rules
being lost when iptables was restarted. This is a fundamental known
issue (see last paragraph of <http://libvirt.org/firewall.html>), and
one of the things firewalld was meant to solve.

Dennis says that there are lot of complicated rules on the builders
making switching to firewalld difficult. One possibility might be to
move those complicated rules from the builders to a network firewall,
and keep the host rules simple and functional. But that's probably a
big undertaking.


It would be.. It would be creating a new network for these boxes, putting the hardware behind such a firewall, setting up routing for such devices etc etc. [Plus a budget needed for that hardware.]
 
In the meantime, any time iptables is restarted or reloaded, libvirt
needs a SIGHUP. (I suppose this means: ansible playbooks and also added
to any manual procedures.)

That actually would be 'easier' to set up even if it is a cron job which checks to see if a marker is in iptables and if not sends a sighup to libvirt

 
[cc rel-eng, reply-to infrastructure]
--
Matthew Miller
<mattdm@xxxxxxxxxxxxxxxxx>
Fedora Project Leader
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



--
Stephen J Smoogen.

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux