[Engine-devel] Gluster IPTable configuration
Alon Bar-Lev
alonbl at redhat.com
Thu Aug 30 18:35:16 UTC 2012
----- Original Message -----
> From: "Selvasundaram" <sesubram at redhat.com>
> To: engine-devel at ovirt.org
> Cc: "Shireesh Anjal" <sanjal at redhat.com>
> Sent: Thursday, August 30, 2012 4:30:16 PM
> Subject: [Engine-devel] Gluster IPTable configuration
>
>
> Hi,
>
> I want to add gluster specific IPTable configuration in addition to
> the ovirt IPTable configuration (if it is gluster node).
>
> There are two approaches,
> 1. Having one more gluster specific IP table config in db and merge
> with ovirt IPTable config (merging NOT appending)
> [I have the patch engine: Gluster specific firewall configurations
> #7244]
> 2. Having two different IP Table config (ovirt and ovirt+gluster) and
> use either one.
>
> Please provide your suggestions or improvements on this.
>
Hello all,
The mentioned patch[1], adds hard coded gluster code into the bootstrap code, manipulate the firewall configuration to be gluster specific. It hardcoded search for "reject", insert before some other rules.
I believe this hardcode approach is obsolete now that we have proper tools for templates.
A more robust solution would be defining generic profiles, each profile as a template, each template can refer to different profiles, and assign profile to a node.
This way the implementation is not gluster [or any] specific and can be reused for more setups, code is cleaner.
Example:
BASIC.PRE
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
BASIC.IN
accept ...
accept ...
BASIC.POST
reject ...
reject ...
BASIC
${BASIC.PRE}
${BASIC.IN}
${BASIC.POST}
GLUSTER
${BASIC.PRE}
${BASIC.IN}
accept ...
${BASIC.POST}
reject ...
Regards,
Alon Bar-Lev
[1] http://gerrit.ovirt.org/#/c/7244/
More information about the Engine-devel
mailing list