Red Hat Bugzilla – Bug 982478
[RFE][virt-sandbox-service] Support to setup iptables rules outside of the container
Last modified: 2014-04-07 06:26:39 EDT
Description of problem:
At present, the users/admin must log into the container then manually setup iptables rules, it's not convenient for users/admin, especially, if users/admin need to operate 1000+ containers, libvirt-sandbox should allow users/admin to create container with specified iptables rules or allow users/admin to configure iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox configuration file.
Version-Release number of selected component (if applicable):
# rpm -q libvirt-sandbox libvirt selinux-policy systemd kernel
Steps to Reproduce:
1. virt-sandbox-service without any iptables option or don't know how to
add iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox.
Support to setup iptables rules outside of the container.
For example, libvirt-sandbox may default allowing access for all of service or relevant port, and then users/admin can modify it according to their requirements.
With the latest virt-sandbox-service creating a persistent libvirt XML, it is now possible to modify it to include network filtering. This is not something we will officially recommend though, since it is not upgrade safe - eg if you re-create the XML later all custom modifications are lost. A proper solution involves new APIs in libvirt-sandbox.
So am I correct to think that this basically involves adding filterref elements to the libvirt network config XML and propagating that through libvirt-sandbox etc? Do we want additional configuration elements such as IP or CTRL_IP_LEARNING? In general I'm just looking for some good defaults and parameters we should add.
To be more clear I was thinking this would involve adding eg virt-sandbox -N dhcp,source=default,filterref=clean-traffic and then adding the APIs to make it all happen from there. Correct?