[Kimchi-devel] [PATCH] Issue #456: Firewall ports are not open after firewall restart v2

Ramon Medeiros ramonn at linux.vnet.ibm.com
Thu Jan 8 19:34:10 UTC 2015 

Changes

v2:

Correct firewalld argument "--permanent"
Extend changes to debian



Instead of setup firewall and selinux configuration, kimchi will just
add the files needed by this setup and describe to the user how security
setup will be done in README.

Signed-off-by: Ramon Medeiros <ramonn at linux.vnet.ibm.com>
---
 contrib/DEBIAN/postinst       |  9 ---------
 contrib/DEBIAN/postrm         |  7 -------
 contrib/kimchi.spec.fedora.in | 26 --------------------------
 docs/README.md                | 25 +++++++++++++++++++++++++
 4 files changed, 25 insertions(+), 42 deletions(-)

diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index 5bca009..5a300bc 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -17,12 +17,3 @@
 # You should have received a copy of the GNU Lesser General Public
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-    service firewalld start >/dev/null 2>&1
-fi
-firewall-cmd --reload  >/dev/null 2>&1
-firewall-cmd --add-service kimchid  >/dev/null 2>&1
-set -e
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index 9f1d895..ef90b49 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,10 +26,3 @@ case "$1" in
         rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
     ;;
 esac
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-    firewall-cmd --remove-service kimchid >/dev/null 2>&1
-fi
-set -e
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index e75018e..92d3e49 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
-%if 0%{?with_systemd}
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-    service firewalld start >/dev/null 2>&1
-fi
-# Add firewalld rules to open 8000 and 8001 port
-firewall-cmd --reload >/dev/null 2>&1
-firewall-cmd --add-service kimchid >/dev/null 2>&1
-%else
-# Add default iptable rules to open 8000 and 8001 port
-iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
-iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
-iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
-service iptables save >/dev/null 2>&1
-%endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
 
 %preun
 
@@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then
     # Package removal, not upgrade
     /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
     /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
-    %if 0%{?with_systemd}
-        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
-    %else
-        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
-        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
-        iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
-    %endif
 fi
 
 exit 0
@@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
     /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
 fi
 exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
 
 %clean
 rm -rf $RPM_BUILD_ROOT
diff --git a/docs/README.md b/docs/README.md
index 823c856..c68f625 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -142,6 +142,30 @@ Run
 
     $ sudo kimchid --host=0.0.0.0
 
+If you cannot access Kimchi, take a look at this 2 points: 
+
+1. Firewall 
+Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules:
+
+firewall-cmd --reload 
+firewall-cmd --add-service kimchid --permanent
+
+If you want to add directly to iptables:
+
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
+service iptables save
+
+Don't forget to correctly save the rules.
+
+
+2. SELinux
+
+Allow httpd_t context for Kimchi web server:
+
+semanage permissive -a httpd_t
+
 
 Test
 ----
@@ -197,6 +221,7 @@ is configured as:
     (2) Chown of export path as libvirt user, group as kvm group,
         In order to make sure all mapped user can get into the mount point.
 
+
 Participating
 -------------
 
-- 
1.8.3.1

More information about the Kimchi-devel mailing list