[pve-devel] [PATCH 0/5] Read corosync.conf for firewall rules

[Fabian Grünbichler]

On Mon, Jul 01, 2019 at 10:49:19AM +0200, Stefan Reiter wrote:
> Related to issue #2245 (pve-firewall poorly detects 'localnet').
> Doesn't actually fix the underlying issue (i.e. localnet is still
> detected poorly), however, with this patchset corosync rules are
> at least unaffected.
> 
> corosync.conf is read directly during firewall rule creation, allowing
> much more fine-grained rules to be created. These are targeted directly
> at ring/link addresses and thus bypass any network detection that could
> go wrong. Supports hostname resolving, corosync style.
> 
> Tested on a 6.0 cluster, no change in behaviour with IPv4, IPv6 and
> hostnames in corosync.conf, multiple links work fine two (tested with
> two links, IPv4 and IPv6 simultaniously). 5.4 works fine too, patches
> applied cleanly to commit dd7d737bcb (bump version to 3.0-21) and
> behaviour of cluster was unaffected (as it should be). The bug mentioned
> in #2245 and on the pve-user list is no longer reproducible (corosync
> works fine, even with IPv6 address in /etc/hosts and firewall enabled).
> 
> Note that joining a new node to a cluster that has its firewall enabled
> might be delayed up to 10 seconds, until the firewall daemon has a chance
> to re-read the updated corosync.conf and adjust its rules.

I wonder whether both the resolver and the iterator sub are not better
placed in PVE/Corosync.pm - they are pretty Corosync specific, and if we
need to change them it's likely because Corosync changed something ;)

if you add the resolver first, you could add the final version of the
iterator right away instead of having an intermediate version.

could we speed up the delay when joining? e.g., trigger a firewall
reload right after writing corosync.conf?

some notes on individual patches as well.

thanks for this well-prepared v1, and the informative commit messages!