Use libvirt's nwfilter to contain instances
In version 0.8.0, libvirt grew a number of firewalling capabilities. As far as possible, we should leverage these to contain instances.
Blueprint information
- Status:
- Complete
- Approver:
- Rick Clark
- Priority:
- Low
- Drafter:
- Soren Hansen
- Direction:
- Approved
- Assignee:
- Soren Hansen
- Definition:
- Superseded
- Series goal:
- Accepted for austin
- Implementation:
- Beta Available
- Milestone target:
- None
- Started by
- Soren Hansen
- Completed by
- Soren Hansen
Whiteboard
Is there equivalent functionality in xenserver? Have you discussed this with Ewan at all? I want to ensure we do not do anything in a way that precludes offering equivalent functionality on other hypervisors. --dendrobates
------
I think I understand your concern. Two facts play into this:
* At the moment this is not something that is done conditionally. As such, there is no external interface for it that can be implemented by other hypervisor drivers.
* The current approach leverages an API that libvirt exposes, so the implementation cannot be used by other hypervisor drivers.
The most reasonable way forward, AFAICS, is to make it more clear what we expect of hypervisor drivers when they start an instance and list the safe guards nwfilter puts in place as a part of these requirements. I don't think it makes sense not to do this directly in the libvirt driver, since this is clearly the most efficient way to handle it for people who use libvirt. It makes even less sense to not do it all (in an effort to maintain feature parity between libvirt and xenapi). Noone gains anything that way.
-- soren, 2010-09-10
We have not seen a way to do this in XenServer and currently do this by modifying the vif script in /etc/xensource/
-- pvo, 2010-09-15
----
Superseded by ec2-security-
Work Items
Dependency tree
* Blueprints in grey have been implemented.