GitLab

Tasks:

• support cluster
• support resilient
• tests
• define whitelist-domains-default
• (lazy/later) setup https://stream.nxdcdn.com/rapidspace-whitelist-domains

Dependencies:

• !950 (merged)
• slapos.toolbox!94 (merged):
  • merge
  • release
  • pin here
• slapos.core!285 (merged):
  • merge
  • release
  • pin here

Spec:

• have some hardcoded domains (debian.org, ubuntu.org)
• fetch additional domains from https://stream.nxdcdn.com/rapidspace-whitelist-domains
• accept whitelist-domains parameter from the request
• merge all
• produce list of IPs from the domains by using command provided in slapos.toolbox!94 (merged)
• put the list of produced IPs into .slapos-firewall-whitelist

Then additional slapos manager shall read the list and if present allow only connections to that destinations from the VM.

Requirements:

• async download of the list
• async update of the firewall, maybe used with promise (check that list of wanted IPs matches the list of configured ones, or something else)
• the whitelist-firewall slapos manager (another story)
• test up to .slapos-firewall-whitelist or even more, if some kind of additional communication to reload manager is required

Found issues:

• need to open widely 53/udp for DNS resolution, maybe just query /etc/resolv.conf and allow ips there?
  • solved by using local /etc/resolve.conf parsing to find acceptable good DNS server