firewall rules on builders (iptables, firewalld, libvirt...)
Paul W. Frields
stickster at gmail.com
Tue Oct 28 15:07:31 UTC 2014
On Tue, Oct 28, 2014 at 08:50:29AM -0600, Stephen John Smoogen wrote:
> On 28 October 2014 08:04, Matthew Miller <mattdm at fedoraproject.org> wrote:
>
> > It's my understanding (Dennis please correct if I'm wrong) that the
> > problem with cloud image creation was due to libvirt iptables rules
> > being lost when iptables was restarted. This is a fundamental known
> > issue (see last paragraph of <http://libvirt.org/firewall.html>), and
> > one of the things firewalld was meant to solve.
> >
> > Dennis says that there are lot of complicated rules on the builders
> > making switching to firewalld difficult. One possibility might be to
> > move those complicated rules from the builders to a network firewall,
> > and keep the host rules simple and functional. But that's probably a
> > big undertaking.
> >
> >
> It would be.. It would be creating a new network for these boxes, putting
> the hardware behind such a firewall, setting up routing for such devices
> etc etc. [Plus a budget needed for that hardware.]
>
>
> > In the meantime, any time iptables is restarted or reloaded, libvirt
> > needs a SIGHUP. (I suppose this means: ansible playbooks and also added
> > to any manual procedures.)
> >
> > That actually would be 'easier' to set up even if it is a cron job which
> checks to see if a marker is in iptables and if not sends a sighup to
> libvirt
The firewalld rich language is probably also worth looking into -- if
for no other reason than to determine whether it is capable of
handling these use cases. If not, we should file RFEs upstream
because we I'm betting we're not *that* special. :-)
--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
More information about the rel-eng
mailing list