<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 6, 2017 at 4:03 PM, Leon Goldberg <span dir="ltr"><<a href="mailto:lgoldber@redhat.com" target="_blank">lgoldber@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>p.s., we've begun implementing option #2 using the following design and approach:<br></div></div></blockquote><div><br></div><div>I'm missing the design @ <a href="https://github.com/oVirt/ovirt-site/pulls">https://github.com/oVirt/ovirt-site/pulls</a> ...</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Beginning with a configurable threshold for cluster compatibility levels (defaulted to 4.2), instead of using/deploying iptables' deploy unit, we set a firewalld boolean in vdsm.conf's deploy unit (similarly to iptables; only in case firewall override is set).<br></div></div></blockquote><div><br></div><div>This is exactly what I preferred we want to - continue to extend VDSM to perform deployment, service management and configuration...</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Using a new dedicated vdsm configurator for firewalld, the required services are added to the active zone(s) (currently being just the public one) and become operational. This only takes place if firewalld's boolean is set to true in vdsm.conf. We determine what non-baseline services should be added based on what is installed on the host (e.g. gluster packages).<br><br></div><div>This approach guarantees that neither upgrading
Engine or a host separately will cause unwarranted firewall
related modifications (more specifically, custom
rules/iptables' service remain intact). Explicitly
installing/re-installing hosts in compatible clusters via an upgraded
Engine is the only way to override custom rules/enabling firewalld's
service over iptables' service (barring manual alterations to
vdsm.conf...). We're also going to warn users during engine-setup and add alerts during host (re)installations.<br></div></div></blockquote><div><br></div><div>I would not pursue this direction until we are convinced using Ansible is not a better, easier, more user-friendly approach.</div><div>Ansible can do all the checks and understand if need to keep iptables or switch to firewalld.</div><div>Y.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div></div></div><div class="gmail-HOEnZb"><div class="gmail-h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 6, 2017 at 2:56 PM, Leon Goldberg <span dir="ltr"><<a href="mailto:lgoldber@redhat.com" target="_blank">lgoldber@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hey,<br><br>There seems to be a growing consensus towards moving custom rules out of Engine. It is believed that Engine shouldn't have assumed the role of a centralized firewall management system in he first place, and that using a proper 3rd party solution will be both favorable to the users (allowing better functionality and usability) and will allow us to simplify our firewall deployment process.<br><br>Considering we don't have to manage custom rules, a host will be able to derive all the information regarding its firewalld services from its own configuration. Consequently, option #2 becomes a forerunner with Engine's involvement being even further diminished.<br></div><div><div><br><br></div></div></div><div class="gmail-m_8008245906091572924HOEnZb"><div class="gmail-m_8008245906091572924h5"><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Mar 26, 2017 at 1:33 PM, Leon Goldberg <span dir="ltr"><<a href="mailto:lgoldber@redhat.com" target="_blank">lgoldber@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br>Hey,<br><br>We're looking to migrate from iptables to firewalld. We came up with a couple of possible approaches we'd like opinions on. I'll list the options first, and will <br><br>1) Replicate existing flow:<br><br>As of date, iptable rules are inserted in the database via SQL config files. During host deployment, VdsDeployIptablesUnit adds the required rules (based on cluster/firewall configuration) to the deployment configuration, en route to being deployed on the host via otopi and its iptables plugin.<br><br>Pros:<br><br>- Reuse of existing infrastructure.<br><br>Cons:<br><br>- Current infrastructure is overly complex...<br>- Many of the required services are provided by firewalld. Rewriting them is wasteful; specifying them (instead of providing actual service .xml content) will require adaptations on both (engine/host) sides. More on that later.<br><br><br>2) Host side based configuration:<br><br>Essentially, all the required logic (aforementioned cluster/firewall configuration) to determine if/how firewalld should be deployed could be passed on to the host via ohd. Vdsm could take on the responsibility of examining the relevant configuration, and then creating and/or adding the required services (using vdsm.conf and vdsm-tool).<br><br>Pros:<br><br> - Engine side involvement is greatly diminished.<br> - Simple(r).<br><br>Cons:<br><br> - Custom services/rules capabilities will have to be rethought and re-implemented (current infrastructure supports custom iptables rules by being specified in the SQL config file).<br><br><br>3) Some other hybrid approach:<br><br>If we're able to guarantee all the required firewalld services are statically provided one way or the other, the current procedure could be replicated and be made more simpler. Instead of providing xml content in the form of strings, service names could be supplied. The responsibility of actual service deployment becomes easier, and could be left to otopi (with the appropriate modifications) or switched over to vdsm.<br><br>--<br></div><div><br></div><div>Regardless, usage of statically provided vs. dynamically created services remains an open question. I think we'd like to avoid implementing logic that ask whether some service is provided (and then write it if it isn't...), and so choosing between the dynamic and static approaches is also needed. Using the static approach, guaranteeing <i>all</i> services are provided will be required.<br><br></div><div>I do believe guaranteeing the presence of all required services is worth it, however custom services aren't going to be naively compatible, and we'll still have to use similar mechanism as described in #1 (service string -> .xml -> addition of service name to active zone).<br><br></div><div><br></div><div>Your thoughts are welcome.<br><br></div><div>Thanks,<br></div><div>Leon<br><br></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
Devel mailing list<br>
<a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a><br></blockquote></div><br></div></div>