Bug 982478 – [RFE][virt-sandbox-service] Support to setup iptables rules outside of the container

Bug 982478 - [RFE][virt-sandbox-service] Support to setup iptables rules outside of the container

Summary:	[RFE][virt-sandbox-service] Support to setup iptables rules outside of the co...

Status:	ASSIGNED

Aliases:	None

Product:	Virtualization Tools
Classification:	Community
Component:	libvirt-sandbox (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	x86_64 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Ian Main
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-07-09 03:00 EDT by Alex Jia
Modified:	2014-04-07 06:26 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Alex Jia 2013-07-09 03:00:09 EDT

Description of problem:
At present, the users/admin must log into the container then manually setup iptables rules, it's not convenient for users/admin, especially, if users/admin need to operate 1000+ containers, libvirt-sandbox should allow users/admin to create container with specified iptables rules or allow users/admin to configure iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox configuration file.

Version-Release number of selected component (if applicable):
# rpm -q libvirt-sandbox libvirt selinux-policy systemd kernel
libvirt-sandbox-0.2.0-1.el7.x86_64
libvirt-1.1.0-1.el7.x86_64
selinux-policy-3.12.1-56.el7.noarch
systemd-204-9.el7.1.x86_64
kernel-3.10.0-0.rc7.64.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. virt-sandbox-service without any iptables option or don't know how to
add iptables rules in the /etc/libvirt-sandbox/services/$name.sandbox.


Actual results:


Expected results:
Support to setup iptables rules outside of the container.

Additional info:
For example, libvirt-sandbox may default allowing access for all of service or relevant port, and then users/admin can modify it according to their requirements.

Comment 2 Daniel Berrange 2013-08-02 11:10:18 EDT

With the latest virt-sandbox-service creating a persistent libvirt XML, it is now possible to modify it to include network filtering. This is not something we will officially recommend though, since it is not upgrade safe - eg if you re-create the XML later all custom modifications are lost. A proper solution involves new APIs in libvirt-sandbox.

Comment 3 Ian Main 2013-09-11 16:33:15 EDT

So am I correct to think that this basically involves adding filterref elements to the libvirt network config XML and propagating that through libvirt-sandbox etc?  Do we want additional configuration elements such as IP or CTRL_IP_LEARNING?  In general I'm just looking for some good defaults and parameters we should add.

Comment 4 Ian Main 2013-09-11 16:37:31 EDT

To be more clear I was thinking this would involve adding eg virt-sandbox -N dhcp,source=default,filterref=clean-traffic and then adding the APIs to make it all happen from there.  Correct?

Note You need to log in before you can comment on or make changes to this bug.