On Thu, Jan 16, 2014 at 02:19:45pm +0100, Michele Tartara wrote: > On Wed, Jan 15, 2014 at 6:15 PM, Vangelis Koukis <[email protected]> wrote: > > [snip] > > If Ganeti needs these interfaces, and Ganeti prescribes the policy on > > them, then it should enforce the policy on its own. This policy includes > > that guest-to-guest communication is not allowed over these interfaces, > > and guest-to-host communication is only allowed to Ganeti-specific > > services, namely the HTTP server used for communication. > > > > Thus, Ganeti should take all necessary steps (including iptables rules) > > to enforce this, just as it's going to do with host-to-VM routing rules. > > > > Finally, a more general comment, migrated from the other branch of this > > discussion: > > > > If I understand correctly, offline discussion with Apollon has shaped > > the design significantly, but the main arguments for not doing any > > iptables configuration are not currently present in this design doc. > > > > Hi Vangelis, > just to shed a bit of light on this: not wanting to use iptables does > not come from a single discussion, nor from a single person. > It's just a general feeling gathered from various discussions. As far > as we know, Ganeti is being used by many people with many different > setups, thanks to its flexibility. This means that there are people > using it together with their already existing set of iptable rules. > It is quite well known how easy it is to ruin an iptables setup by > adding just one wrong rule, and this is why we don't want to > manipulate them in a fixed way from inside Ganeti. > Therefore, as Jose will make clear in the next iteration of the design > doc, we will indeed keep Ganeti a turnkey solution by providing ready > to use hooks with the correct iptables rules for a basic setup. But > they will be hooks, so that every sysadmin can adapt them to their > specific case, without Ganeti forcing any particular setup. > > Cheers, > Michele >
Hi Michele, Jose, Thanks for taking the time to reply. I appreciate the explanation, as well as the associated changes to design doc, with the inclusion of the relevant ifup scripts. I understand the decision is ultimately yours to make, since you're going to be the ones implementing and testing the feature. Thanks for taking our considerations into account. Keep up the good work, Vangelis.
signature.asc
Description: Digital signature
