On Tue, Oct 28, 2014 at 08:50:29AM -0600, Stephen John Smoogen wrote: > On 28 October 2014 08:04, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > > > It's my understanding (Dennis please correct if I'm wrong) that the > > problem with cloud image creation was due to libvirt iptables rules > > being lost when iptables was restarted. This is a fundamental known > > issue (see last paragraph of <http://libvirt.org/firewall.html>), and > > one of the things firewalld was meant to solve. > > > > Dennis says that there are lot of complicated rules on the builders > > making switching to firewalld difficult. One possibility might be to > > move those complicated rules from the builders to a network firewall, > > and keep the host rules simple and functional. But that's probably a > > big undertaking. > > > > > It would be.. It would be creating a new network for these boxes, putting > the hardware behind such a firewall, setting up routing for such devices > etc etc. [Plus a budget needed for that hardware.] > > > > In the meantime, any time iptables is restarted or reloaded, libvirt > > needs a SIGHUP. (I suppose this means: ansible playbooks and also added > > to any manual procedures.) > > > > That actually would be 'easier' to set up even if it is a cron job which > checks to see if a marker is in iptables and if not sends a sighup to > libvirt The firewalld rich language is probably also worth looking into -- if for no other reason than to determine whether it is capable of handling these use cases. If not, we should file RFEs upstream because we I'm betting we're not *that* special. :-) -- Paul W. Frields http://paul.frields.org/ gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717 http://redhat.com/ - - - - http://pfrields.fedorapeople.org/ The open source story continues to grow: http://opensource.com _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
