[pve-devel] firewall : possible bug/race when cluster.fw is replicated and rules are updated ?

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Jan 9 09:49:44 CET 2019


On 1/9/19 9:17 AM, Thomas Lamprecht wrote:
> On 1/9/19 8:36 AM, Alexandre DERUMIER wrote:
>>>> Hmm, but if one wants to restore the defaults by simply deleting the file he'd 
>>>> need to restart the firewall daemon too. Not really sure if this is ideal 
>>>> either... Even if we could do heuristics for if the file was really 
>>>> removed/truncated (double checks) that would be just feel hacky and as said 
>>>> above, such actions can get you in trouble with all processes where there are 
>>>> reader writers, so this should be handled by the one updating the file. 
>>
>> Ok I understand.
>> I'm also think of case, where we could have a corosync/network failure, 
>> where /etc/pve couldn't be mounted anymore or not readable, 
>> that mean that in this case the firewall will be off too.
>> That's seem bad for security....
> 
> Yeah, that's a valid concern.

Argh, wrong. If there's no quorum network failure you still have the old state
in the cluster.conf represented, the filesystem just went into read only mode
so modifications aren't possible anyway.

> Maybe we could simply omit changing rules or anything else if we are not quorate?
> Would seem like the right thing to do, because in that case we cannot assume
> anything so it's best to keep the last valid state intact.
> 

So this is already the behaviour there. And pve-firewall depends on pve-cluster,
so it should only start after it mounted. The single issue could be:

Booting node, pve-cluster fails to start/mount. But, in this case you're done
anyway as either you:
* change the "Wants=pve-cluster" to "Requires=üpve-cluster", which then result
  in no pve-firewall service running at all
* or keep it as is, which starts the pve-firewall service nonetheless, but with
  default off as the config cannot be read.

The latter may even be slightly better as as soon as pve-cluster got repaired
the firewall service starts to work correctly automatically...





More information about the pve-devel mailing list