[libvirt] RFC: automatic setting of ip_forwarding (or not)

Daniel P. Berrange berrange at redhat.com
Thu Oct 7 12:14:46 UTC 2010 

On Fri, Oct 01, 2010 at 02:46:34PM -0400, Laine Stump wrote:
>  Currently libvirt will turn on net.ipv4.ip_forward by writing "1\n" to 
> /proc/sys/net/ipv4/ip_forward whenever a virtual network of with a 
> forward mode of "nat" or "route" is started. This is problematic for two 
> reasons: 1) /etc/sysctl.conf is not updated with this information, so 
> any other process reprocessing /etc/sysctl.conf (with "sysctl -a -p") 
> will potentially turn ip forward back to 0, leaving libvirt-created 
> virtual networks in a non-working state, and 2) it's possible the 
> administrator turned off ip forwarding on purpose for security reasons, 
> and our silently turning it on leaves them mistakenly believing it is 
> still off.
> 
> We've discussed a few ways of remedying this situation lately, and I 
> thought I should summarize all the mentioned ideas, and take a poll to 
> try and determine which way we should fix this.
> 
> 1) Leave it as is. The simplest solution, but has the problems outlines 
> above.
> 
> 2) Turn it on in the same place, but do it by writing
> 
>      net.ipv4.ip_forward = 1
> 
> to /etc/sysctl.conf and calling "sysctl -a -p". This gives us the same 
> behavior as currently, but with the advantages that a) our change to the 
> config is documented in /etc/sysctl.conf and b) virtual networked guests 
> won't suddenly have their network fail when some other process runs 
> "sysconfig -a -p".
> 
> However, it seems rather drastic to be turning this on every time a 
> virtual network is started, especially without alerting the admin that 
> this has been done.

We have to bear in mind that this functionality has existed in
libvirt for 4 years now and as such we really don't want to cause
a regression in behaviour for people. Option 1 does have the
problem you mention, but for the vast majority of people it has
been working for years & they'll be annoyed if we break it.

To me, this ties back in with the problem of managing the firewall
in general. Toggling of ip forward should be something done by the
firewall management service....of which none exists yet. There is
current active development work to provide a dynamic firewall
management service in Fedora. This is to address the needs of libvirt,
NetworkManager, CUPs, System-D all of whom are suffering from the 
current lack of firewall management. I expect the ip_forward setting
will fall under this service. 

My preference would thus be to leave current libvirt behaviour
unchanged and wait to see how the firewall mgmt work plays out

> 3) Whenever a virtual network that would require ip_forward = 1 to 
> operate properly is started (ie at libvirtd start time, and when a 
> network is newly defined), check if it's currently on, and if not log a 
> warning message, informing the admin that they should turn on ip_forward 
> in sysctl.conf and reload it in order to have properly working networking.
> 
> This would assure that the admin was informed of the necessity for 
> ip_forward, but eliminate the possibility of two processes fighting over 
> the setting of ip_forward, leaving it up to the admin to make the 
> decision and do the right thing. On the other hand, it would prevent 
> libvirt's networking from "just working" on a new install.

This would be a major regression for anyone upgrading their libvirt
install.

> 4) Turn ip_forward on during libvirt install.
> 
> This one doesn't make sense to me, because you don't know at the time of 
> libvirt install whether or not the installation if going to end up with 
> any virtual networks that need forwarding.

Agreed, this is the wrong time/place.

> 5) Make ip_forward a tunable in /etc/libvirt/libvirtd.conf, and set it 
> accordingly every time libvirtd is started.
> 
> I don't know if this makes sense either - if you have NATed or routed 
> virtual networks, you will need ip_forward=1 for them to work properly, 
> and if you don't have them, you don't care, so it's really redundant.

Yeah, doesn't make much sense to have to edit a config file to
change a variable in a different config file. It is no better 
than telling people to edit sysctl.conf.

Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list