firewall rules on builders (iptables, firewalld, libvirt...)
Stephen John Smoogen
smooge at gmail.com
Tue Oct 28 14:50:29 UTC 2014
On 28 October 2014 08:04, Matthew Miller <mattdm at fedoraproject.org> wrote:
> It's my understanding (Dennis please correct if I'm wrong) that the
> problem with cloud image creation was due to libvirt iptables rules
> being lost when iptables was restarted. This is a fundamental known
> issue (see last paragraph of <http://libvirt.org/firewall.html>), and
> one of the things firewalld was meant to solve.
>
> Dennis says that there are lot of complicated rules on the builders
> making switching to firewalld difficult. One possibility might be to
> move those complicated rules from the builders to a network firewall,
> and keep the host rules simple and functional. But that's probably a
> big undertaking.
>
>
It would be.. It would be creating a new network for these boxes, putting
the hardware behind such a firewall, setting up routing for such devices
etc etc. [Plus a budget needed for that hardware.]
> In the meantime, any time iptables is restarted or reloaded, libvirt
> needs a SIGHUP. (I suppose this means: ansible playbooks and also added
> to any manual procedures.)
>
> That actually would be 'easier' to set up even if it is a cron job which
checks to see if a marker is in iptables and if not sends a sighup to
libvirt
> [cc rel-eng, reply-to infrastructure]
> --
> Matthew Miller
> <mattdm at fedoraproject.org>
> Fedora Project Leader
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20141028/78ae283f/attachment.html>
More information about the infrastructure
mailing list