<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 28 October 2014 08:04, Matthew Miller <span dir="ltr"><<a href="mailto:mattdm@fedoraproject.org" target="_blank">mattdm@fedoraproject.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">It's my understanding (Dennis please correct if I'm wrong) that the<br>
problem with cloud image creation was due to libvirt iptables rules<br>
being lost when iptables was restarted. This is a fundamental known<br>
issue (see last paragraph of <<a href="http://libvirt.org/firewall.html" target="_blank">http://libvirt.org/firewall.html</a>>), and<br>
one of the things firewalld was meant to solve.<br>
<br>
Dennis says that there are lot of complicated rules on the builders<br>
making switching to firewalld difficult. One possibility might be to<br>
move those complicated rules from the builders to a network firewall,<br>
and keep the host rules simple and functional. But that's probably a<br>
big undertaking.<br>
<br></blockquote><div><br></div><div>It would be.. It would be creating a new network for these boxes, putting the hardware behind such a firewall, setting up routing for such devices etc etc. [Plus a budget needed for that hardware.]</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In the meantime, any time iptables is restarted or reloaded, libvirt<br>
needs a SIGHUP. (I suppose this means: ansible playbooks and also added<br>
to any manual procedures.)<br>
<br></blockquote><div>That actually would be 'easier' to set up even if it is a cron job which checks to see if a marker is in iptables and if not sends a sighup to libvirt</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
[cc rel-eng, reply-to infrastructure]<br>
<span class="HOEnZb"><font color="#888888">--<br>
Matthew Miller<br>
<<a href="mailto:mattdm@fedoraproject.org">mattdm@fedoraproject.org</a>><br>
Fedora Project Leader<br>
_______________________________________________<br>
infrastructure mailing list<br>
<a href="mailto:infrastructure@lists.fedoraproject.org">infrastructure@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/infrastructure" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/infrastructure</a></font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Stephen J Smoogen.<br><br></div>
</div></div>