[Engine-devel] Gluster IPTable configuration

Alon Bar-Lev alonbl at redhat.com
Mon Sep 3 12:52:37 UTC 2012



----- Original Message -----
> From: "Shireesh Anjal" <sanjal at redhat.com>
> To: engine-devel at ovirt.org
> Cc: "Alon Bar-Lev" <alonbl at redhat.com>, "Selvasundaram" <sesubram at redhat.com>
> Sent: Monday, September 3, 2012 3:42:17 PM
> Subject: Re: [Engine-devel] Gluster IPTable configuration
> 
> On Friday 31 August 2012 12:05 AM, Alon Bar-Lev wrote:
> >
> > ----- Original Message -----
> >> From: "Selvasundaram" <sesubram at redhat.com>
> >> To: engine-devel at ovirt.org
> >> Cc: "Shireesh Anjal" <sanjal at redhat.com>
> >> Sent: Thursday, August 30, 2012 4:30:16 PM
> >> Subject: [Engine-devel] Gluster IPTable configuration
> >>
> >>
> >> Hi,
> >>
> >> I want to add gluster specific IPTable configuration in addition
> >> to
> >> the ovirt IPTable configuration (if it is gluster node).
> >>
> >> There are two approaches,
> >> 1. Having one more gluster specific IP table config in db and
> >> merge
> >> with ovirt IPTable config (merging NOT appending)
> >> [I have the patch engine: Gluster specific firewall configurations
> >> #7244]
> >> 2. Having two different IP Table config (ovirt and ovirt+gluster)
> >> and
> >> use either one.
> >>
> >> Please provide your suggestions or improvements on this.
> >>
> > Hello all,
> >
> > The mentioned patch[1], adds hard coded gluster code into the
> > bootstrap code, manipulate the firewall configuration to be
> > gluster specific. It hardcoded search for "reject", insert before
> > some other rules.
> >
> > I believe this hardcode approach is obsolete now that we have
> > proper tools for templates.
> >
> > A more robust solution would be defining generic profiles, each
> > profile as a template, each template can refer to different
> > profiles, and assign profile to a node.
> >
> > This way the implementation is not gluster [or any] specific and
> > can be reused for more setups, code is cleaner.
> >
> > Example:
> >
> > BASIC.PRE
> >      :INPUT ACCEPT [0:0]
> >      :FORWARD ACCEPT [0:0]
> >      :OUTPUT ACCEPT [0:0]
> > BASIC.IN
> >      accept ...
> >      accept ...
> > BASIC.POST
> >      reject ...
> >      reject ...
> >
> > BASIC
> >      ${BASIC.PRE}
> >      ${BASIC.IN}
> >      ${BASIC.POST}
> >
> > GLUSTER
> >      ${BASIC.PRE}
> >      ${BASIC.IN}
> >      accept ...
> >      ${BASIC.POST}
> >      reject ...
> 
> I like the separation of PRE/IN/POST rules here. However I think it
> is
> better to keep the service specific rules in separate configurations.
> Currently, whole iptables rules script is kept in the vdc option
> "IPTablesConfig". How about changing this as follows?
> 
> - Split the current config into three: IPTablesConfig.PRE,
> IPTablesConfig.VIRT and IPTablesConfig.POST
> - Let services like Gluster add their own vdc options e.g.
> IPTablesConfig.GLUSTER
> - When assembling the full script in VdsInstaller,
>    - Take IPTablesConfig.PRE
>    - Append it with IPTablesConfig.<service> for every service to be
> enabled on the host/cluster
>    - Append it with IPTablesConfig.POST
> 
> Thoughts?

This is a simple approach that will work for current implementation and configuration.

However, it will effect all nodes, with or without gluster.

I think that while we at it we should consider how to effect only appropriate subset of nodes.

Alon.



More information about the Devel mailing list