Feature/kvm whitelist firewall
Tasks:
-
support cluster -
support resilient -
tests -
define whitelist-domains-default -
(lazy/later) setup https://stream.nxdcdn.com/rapidspace-whitelist-domains
Dependencies:
-
https://lab.nexedi.com/nexedi/slapos/merge_requests/950 -
https://lab.nexedi.com/nexedi/slapos.toolbox/merge_requests/94:
-
merge -
release -
pin here
-
-
https://lab.nexedi.com/nexedi/slapos.core/merge_requests/285:
-
merge -
release -
pin here
-
Spec:
-
have some hardcoded domains (debian.org, ubuntu.org) -
fetch additional domains from https://stream.nxdcdn.com/rapidspace-whitelist-domains -
accept whitelist-domainsparameter from the request -
merge all -
produce list of IPs from the domains by using command provided in https://lab.nexedi.com/nexedi/slapos.toolbox/merge_requests/94 -
put the list of produced IPs into .slapos-firewall-whitelist
Then additional slapos manager shall read the list and if present allow only connections to that destinations from the VM.
Requirements:
-
async download of the list -
async update of the firewall, maybe used with promise (check that list of wanted IPs matches the list of configured ones, or something else) -
the whitelist-firewall slapos manager (another story) -
test up to .slapos-firewall-whitelistor even more, if some kind of additional communication to reload manager is required
Found issues:
-
need to open widely53/udpfor DNS resolution, maybe just query/etc/resolv.confand allow ips there?- solved by using local
/etc/resolve.confparsing to find acceptable good DNS server
- solved by using local