Bug 982478 - [RFE][virt-sandbox-service] Support to setup iptables rules outside of the container
Summary: [RFE][virt-sandbox-service] Support to setup iptables rules outside of the co...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt-sandbox
Version: unspecified
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ian Main
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-09 07:00 UTC by Alex Jia
Modified: 2020-02-21 19:18 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-02-21 19:18:46 UTC
Embargoed:


Attachments (Terms of Use)

Description Alex Jia 2013-07-09 07:00:09 UTC
Description of problem:
At present, the users/admin must log into the container then manually setup iptables rules, it's not convenient for users/admin, especially, if users/admin need to operate 1000+ containers, libvirt-sandbox should allow users/admin to create container with specified iptables rules or allow users/admin to configure iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox configuration file.

Version-Release number of selected component (if applicable):
# rpm -q libvirt-sandbox libvirt selinux-policy systemd kernel
libvirt-sandbox-0.2.0-1.el7.x86_64
libvirt-1.1.0-1.el7.x86_64
selinux-policy-3.12.1-56.el7.noarch
systemd-204-9.el7.1.x86_64
kernel-3.10.0-0.rc7.64.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. virt-sandbox-service without any iptables option or don't know how to
add iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox.


Actual results:


Expected results:
Support to setup iptables rules outside of the container.

Additional info:
For example, libvirt-sandbox may default allowing access for all of service or relevant port, and then users/admin can modify it according to their requirements.

Comment 2 Daniel Berrangé 2013-08-02 15:10:18 UTC
With the latest virt-sandbox-service creating a persistent libvirt XML, it is now possible to modify it to include network filtering. This is not something we will officially recommend though, since it is not upgrade safe - eg if you re-create the XML later all custom modifications are lost. A proper solution involves new APIs in libvirt-sandbox.

Comment 3 Ian Main 2013-09-11 20:33:15 UTC
So am I correct to think that this basically involves adding filterref elements to the libvirt network config XML and propagating that through libvirt-sandbox etc?  Do we want additional configuration elements such as IP or CTRL_IP_LEARNING?  In general I'm just looking for some good defaults and parameters we should add.

Comment 4 Ian Main 2013-09-11 20:37:31 UTC
To be more clear I was thinking this would involve adding eg virt-sandbox -N dhcp,source=default,filterref=clean-traffic and then adding the APIs to make it all happen from there.  Correct?


Note You need to log in before you can comment on or make changes to this bug.