[Kimchi-devel] [PATCH] Issue #456: Firewall ports are not open after firewall restart v4

Ramon Medeiros ramonn at linux.vnet.ibm.com
Wed Jan 14 13:06:59 UTC 2015 

Changes:

v4:
Write README instructions based on README-federation
add iptables rules

v3:
Remove postint file from debian
Append opensuse firewall commands
Change README instructions

v2:

Correct firewalld argument "--permanent"
Extend changes to debian 

Instead of setup firewall and selinux configuration, kimchi will just
add the files needed by this setup and describe to the user how security
setup will be done in README.

Signed-off-by: Ramon Medeiros <ramonn at linux.vnet.ibm.com>
---
 contrib/DEBIAN/postinst       | 28 ----------------------------
 contrib/DEBIAN/postrm         |  7 -------
 contrib/kimchi.spec.fedora.in | 26 --------------------------
 docs/README.md                | 31 +++++++++++++++++++++++++++++++
 4 files changed, 31 insertions(+), 61 deletions(-)
 delete mode 100755 contrib/DEBIAN/postinst

diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
deleted file mode 100755
index 5bca009..0000000
--- a/contrib/DEBIAN/postinst
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh -e
-#
-# Project Kimchi
-#
-# Copyright IBM, Corp. 2013
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-    service firewalld start >/dev/null 2>&1
-fi
-firewall-cmd --reload  >/dev/null 2>&1
-firewall-cmd --add-service kimchid  >/dev/null 2>&1
-set -e
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index 9f1d895..ef90b49 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,10 +26,3 @@ case "$1" in
         rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
     ;;
 esac
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-    firewall-cmd --remove-service kimchid >/dev/null 2>&1
-fi
-set -e
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index e75018e..92d3e49 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
-%if 0%{?with_systemd}
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-    service firewalld start >/dev/null 2>&1
-fi
-# Add firewalld rules to open 8000 and 8001 port
-firewall-cmd --reload >/dev/null 2>&1
-firewall-cmd --add-service kimchid >/dev/null 2>&1
-%else
-# Add default iptable rules to open 8000 and 8001 port
-iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
-iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
-iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
-service iptables save >/dev/null 2>&1
-%endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
 
 %preun
 
@@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then
     # Package removal, not upgrade
     /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
     /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
-    %if 0%{?with_systemd}
-        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
-    %else
-        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
-        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
-        iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
-    %endif
 fi
 
 exit 0
@@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
     /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
 fi
 exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
 
 %clean
 rm -rf $RPM_BUILD_ROOT
diff --git a/docs/README.md b/docs/README.md
index 823c856..8dcc652 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -142,6 +142,37 @@ Run
 
     $ sudo kimchid --host=0.0.0.0
 
+If you cannot access Kimchi, take a look at these 2 points: 
+
+1. Firewall 
+Kimchi uses by default the ports 8000, 8001 and 64667. To allow incoming connections:
+
+   For system using firewalld, do:
+   sudo firewall-cmd --add-port 8000 --permanent
+   sudo firewall-cmd --add-port 8001 --permanent
+   sudo firewall-cmd --add-port 64667 --permanent
+   sudo firewall-cmd --reload
+
+   For openSUSE systems, do:
+   sudo /sbin/SuSEfirewall2 open EXT TCP 8000
+   sudo /sbin/SuSEfirewall2 open EXT TCP 8001
+   sudo /sbin/SuSEfirewall2 open EXT TCP 64667
+
+   For system using iptables, do:
+   sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
+   sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT
+   sudo iptables -A INPUT -p tcp --dport 64667 -j ACCEPT
+
+
+Don't forget to correctly save the rules.
+
+
+2. SELinux
+
+Allow httpd_t context for Kimchi web server:
+
+semanage permissive -a httpd_t
+
 
 Test
 ----
-- 
1.8.3.1

More information about the Kimchi-devel mailing list