Re: firewall rules on builders (iptables, firewalld, libvirt...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 28, 2014 at 08:50:29AM -0600, Stephen John Smoogen wrote:
> On 28 October 2014 08:04, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote:
> 
> > It's my understanding (Dennis please correct if I'm wrong) that the
> > problem with cloud image creation was due to libvirt iptables rules
> > being lost when iptables was restarted. This is a fundamental known
> > issue (see last paragraph of <http://libvirt.org/firewall.html>), and
> > one of the things firewalld was meant to solve.
> >
> > Dennis says that there are lot of complicated rules on the builders
> > making switching to firewalld difficult. One possibility might be to
> > move those complicated rules from the builders to a network firewall,
> > and keep the host rules simple and functional. But that's probably a
> > big undertaking.
> >
> >
> It would be.. It would be creating a new network for these boxes, putting
> the hardware behind such a firewall, setting up routing for such devices
> etc etc. [Plus a budget needed for that hardware.]
> 
> 
> > In the meantime, any time iptables is restarted or reloaded, libvirt
> > needs a SIGHUP. (I suppose this means: ansible playbooks and also added
> > to any manual procedures.)
> >
> > That actually would be 'easier' to set up even if it is a cron job which
> checks to see if a marker is in iptables and if not sends a sighup to
> libvirt

The firewalld rich language is probably also worth looking into -- if
for no other reason than to determine whether it is capable of
handling these use cases.  If not, we should file RFEs upstream
because we I'm betting we're not *that* special. :-)

-- 
Paul W. Frields                                http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
    The open source story continues to grow: http://opensource.com
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure





[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux