On Tue, Oct 28, 2014 at 08:50:29AM -0600, Stephen John Smoogen wrote:
On 28 October 2014 08:04, Matthew Miller
<mattdm(a)fedoraproject.org> wrote:
> It's my understanding (Dennis please correct if I'm wrong) that the
> problem with cloud image creation was due to libvirt iptables rules
> being lost when iptables was restarted. This is a fundamental known
> issue (see last paragraph of <
http://libvirt.org/firewall.html>), and
> one of the things firewalld was meant to solve.
>
> Dennis says that there are lot of complicated rules on the builders
> making switching to firewalld difficult. One possibility might be to
> move those complicated rules from the builders to a network firewall,
> and keep the host rules simple and functional. But that's probably a
> big undertaking.
>
>
It would be.. It would be creating a new network for these boxes, putting
the hardware behind such a firewall, setting up routing for such devices
etc etc. [Plus a budget needed for that hardware.]
> In the meantime, any time iptables is restarted or reloaded, libvirt
> needs a SIGHUP. (I suppose this means: ansible playbooks and also added
> to any manual procedures.)
>
> That actually would be 'easier' to set up even if it is a cron job which
checks to see if a marker is in iptables and if not sends a sighup to
libvirt
The firewalld rich language is probably also worth looking into -- if
for no other reason than to determine whether it is capable of
handling these use cases. If not, we should file RFEs upstream
because we I'm betting we're not *that* special. :-)
--
Paul W. Frields
http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - -
http://pfrields.fedorapeople.org/
The open source story continues to grow:
http://opensource.com