[pve-devel] [PATCH v2 0/4] Read corosync.conf for firewall rules

Stefan Reiter s.reiter at proxmox.com
Mon Jul 1 17:22:13 CEST 2019


Related to issue #2245 (pve-firewall poorly detects 'localnet').
Doesn't actually fix the underlying issue (i.e. localnet is still
detected poorly), however, with this patchset corosync rules are
at least unaffected.

corosync.conf is read directly during firewall rule generation, allowing
much more fine-grained rules to be constructed. These are targeted directly
at ring/link addresses and thus bypass any network detection that could
go wrong. Supports hostname resolving, corosync style.

Tested on a 6.0 cluster, no change in behaviour with IPv4, IPv6 and
hostnames in corosync.conf, multiple links work fine two (tested with
two links, IPv4 and IPv6 simultaniously). 5.4 works fine too, patches
applied cleanly to commit dd7d737bcb (bump version to 3.0-21) and
behaviour of cluster was unaffected (as it should be). The bug mentioned
in #2245 and on the pve-user list is no longer reproducible (corosync
works fine, even with IPv6 address in /etc/hosts and firewall enabled).

Note that joining a new node to a cluster that has its firewall enabled
might be delayed up to 10 seconds, until the firewall daemon has a chance
to re-read the updated corosync.conf and adjust its rules.


v2:
 * Moved iterating and resolving subs to Corosync.pm
 * Unified hostname resolving and iterating commit into one
 * Added multicast-transport condition patch (for corosync 3 only)
 * Fixed code style on several occasions
 * Typos


I will try to look into triggering a firewall update immediately if
corosync.conf has changed, but I think that would be ok to send as a
different patch. The delay is hardly noticeable in my testing.
Maybe an inotify on corosync.conf in the firewall daemon?


pve-cluster:
Stefan Reiter (1):
  Add functions to resolve hostnames and iterate corosync nodes

 data/PVE/Corosync.pm | 89 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)


pve-firewall:
Stefan Reiter (3):
  Create corosync firewall rules independently of localnet
  Update and add tests for corosync firewall changes
  Only include multicast rules if transport is udp

 src/PVE/Firewall.pm            | 83 +++++++++++++++++++++++++++-------
 test/corosync.conf             | 53 ++++++++++++++++++++++
 test/fwtester.pl               | 11 ++++-
 test/test-default-rules1/tests |  4 ++
 4 files changed, 133 insertions(+), 18 deletions(-)
 create mode 100644 test/corosync.conf

-- 
2.20.1





More information about the pve-devel mailing list