cloud and firewalld

Thu Dec 13 05:58:04 UTC 2012

On 2012-12-12 7:27, Matthew Miller wrote:
> This may be of interest to people using Fedora as a cloud solution, for
> several reasons.
>
> First, on _host_ systems providing virtualization services, the firewall
> daemon provides an interface for tracking dynamic rules. (Libvirt already
> has code to use it, for example.)
>
> On cloud _guest_ systems, it's probably less desirable: the firewall is
> unlikely to have dynamic changes, and resources will be more constrained.
> Having an extra python-based daemon running all the time with literally
> nothing to do probably isn't what we're looking for, and it also happens
> that the code pulls in a large list of dependencies.

How much memory does firewalld actually use on F18 when it has nothing 
to do?  At what point should we become concerned about how much memory a 
process is using?

> The FirewallD feature page proposes that both options should be available
> for at least the next few Fedora releases (just as we have the legacy
> network scripts). But right now, the appliance building tools and anaconda
> both rely on the new firewalld commands. I suggested putting that back to
> the old way for now, but that's going to take some work and testing.

Does the "no firewall" case still work, at least?  EC2 recommends images 
with *no* default firewall since they use security groups to control 
traffic, and adding a second, guest-level firewall tends to confuse people.

Should the F18 release image explicitly target clouds other than EC2? 
*Can* it?

--
Garrett Holmstrom