On 12/30/2013 12:26 AM, Eli Qiao wrote:
于 2013年12月27日 22:17, Aline Manera 写道:
> On 12/26/2013 04:52 AM, taget(a)linux.vnet.ibm.com wrote:
>> From: Eli Qiao <taget(a)linux.vnet.ibm.com>
>>
>> V4 - V3 changes:
>> 1 Fix typo in firewalld.xml (Rodrigo)
>>
>> V3 - V2 changes:
>>
>> 1.Rename kimchid.xml to firewalld.xml (Mark)
>> 2.Remove firewalld from serivce require (Mark)
>> 3.Fix typo
>>
>> V2 - V1 changes:
>
> Add this patch history to cover letter instead of commit description
>
okay, thx.
>>
>> 1.Add firewalld sevice configure file kimchid.xml to help open
>> iptables port (Mark)
>> 2.Add Ubuntu iptables rule (Royce)
>>
>> Signed-off-by: Eli Qiao <taget(a)linux.vnet.ibm.com>
>> ---
>> contrib/DEBIAN/control.in | 3 ++-
>> contrib/DEBIAN/postinst | 2 ++
>> contrib/DEBIAN/postrm | 2 ++
>> contrib/kimchi.spec.fedora.in | 19 +++++++++++++++++++
>> contrib/kimchi.spec.suse.in | 10 ++++++++--
>> src/Makefile.am | 1 +
>> src/firewalld.xml | 7 +++++++
>> 7 files changed, 41 insertions(+), 3 deletions(-)
>> create mode 100644 src/firewalld.xml
>>
>> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
>> index 380584c..c0ea1f1 100644
>> --- a/contrib/DEBIAN/control.in
>> +++ b/contrib/DEBIAN/control.in
>> @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
>> python-psutil (>= 0.6.0),
>> python-ethtool,
>> sosreport,
>> - python-ipaddr
>> + python-ipaddr,
>> + firewalld
>> Build-Depends:
>> Maintainer: Aline Manera <alinefm(a)br.ibm.com>
>> Description: Kimchi web server
>> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
>> index c1fc22e..b27205c 100755
>> --- a/contrib/DEBIAN/postinst
>> +++ b/contrib/DEBIAN/postinst
>> @@ -19,3 +19,5 @@
>> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> 02110-1301 USA
>>
>> service kimchid start
>> +/usr/bin/firewall-cmd --reload
>> +/usr/bin/firewall-cmd --add-service kimchid
>
> Any special reason to use full path for firewall-cmd?
no , I will remove it next version.
>
>> diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
>> index ef90b49..3c70584 100755
>> --- a/contrib/DEBIAN/postrm
>> +++ b/contrib/DEBIAN/postrm
>> @@ -26,3 +26,5 @@ case "$1" in
>> rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
>> ;;
>> esac
>> +
>> +/usr/bin/firewall-cmd --remove-service kimchid
>> diff --git a/contrib/kimchi.spec.fedora.in
>> b/contrib/kimchi.spec.fedora.in
>> index 14ec359..57baead 100644
>> --- a/contrib/kimchi.spec.fedora.in
>> +++ b/contrib/kimchi.spec.fedora.in
>> @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
>>
>> %if 0%{?with_systemd}
>> Requires: systemd
>> +Requires: firewalld
>> Requires(post): systemd
>> Requires(preun): systemd
>> Requires(postun): systemd
>> @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install
>> %if 0%{?with_systemd}
>> # Install the systemd scripts
>> install -Dm 0644 contrib/kimchid.service.fedora
>> %{buildroot}%{_unitdir}/kimchid.service
>> +install -Dm 0640 src/firewalld.xml
>> %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
>> %endif
>>
>> %if 0%{?rhel} == 6
>> @@ -83,16 +85,32 @@ fi
>>
>> %if 0%{?rhel} == 6
>> start kimchid
>> +# Add defult iptable rules to open 8000 and 8001 port
>
> typo: defult
thanks
>
>> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save
>> %else
>> service kimchid start
>> +# Add firewalld rules to open 8000 and 8001 port
>> +/usr/bin/firewall-cmd --reload
>> +/usr/bin/firewall-cmd --add-service kimchid
>> %endif
>>
>> %preun
>
> Only RHEL 6 doesn't have firewalld support? All other RHEL and Fedora
> version have it?
>
yes,
RHEL>=7 and Fedora >=15 have firewalld support
So I think it's better if we can use with_systemd variable to check it
%if 0%{?with_systemd}
# has firewalld support
%else
# without firewalld support
will kimchi support Fedora < 15 or RHEL < 6?
Kimchi doesn't support those distros officially but anyone can try
Kimchi in there.
>
>> +%if 0%{?rhel} == 6
>> +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save
>> +%else
>> +/usr/bin/firewall-cmd --remove-service kimchid
>> +%endif
>> +
>
> Don't you need to put the above code into the if below? Did you test
> kimchi upgrade?
>
okay , I will move above code into if and do a test of upgrade.
>> if [ $1 -eq 0 ] ; then
>> # Package removal, not upgrade
>> /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1
>> || :
>> /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
>> fi
>> +
>> exit 0
>>
>>
>> @@ -153,6 +171,7 @@ rm -rf $RPM_BUILD_ROOT
>>
>> %if 0%{?with_systemd}
>> %{_unitdir}/kimchid.service
>> +%{_prefix}/lib/firewalld/services/kimchid.xml
>> %endif
>> %if 0%{?rhel} == 6
>> /etc/init/kimchid.conf
>> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
>> index 9051284..dde9dae 100644
>> --- a/contrib/kimchi.spec.suse.in
>> +++ b/contrib/kimchi.spec.suse.in
>> @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit
>> %{buildroot}%{_initrddir}/kimchid
>> %post
>> service kimchid start
>> chkconfig kimchid on
>> -
>> +# Add iptables rules to open 8000 and 8001 port
>> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save
>> %preun
>> service kimchid stop
>> -
>> +# Remove iptables rules to open 8000 and 8001 port
>> +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save
>> %clean
>> rm -rf $RPM_BUILD_ROOT
>>
>> diff --git a/src/Makefile.am b/src/Makefile.am
>> index 7d29e28..7514870 100644
>> --- a/src/Makefile.am
>> +++ b/src/Makefile.am
>> @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
>>
>> EXTRA_DIST = kimchid.in \
>> kimchi.conf.in \
>> + firewalld.xml \
>> $(NULL)
>>
>> bin_SCRIPTS = kimchid
>> diff --git a/src/firewalld.xml b/src/firewalld.xml
>> new file mode 100644
>> index 0000000..7472e20
>> --- /dev/null
>> +++ b/src/firewalld.xml
>> @@ -0,0 +1,7 @@
>> +<?xml version="1.0" encoding="utf-8"?>
>> +<service>
>> + <short>kimchid</short>
>> + <description>Kimchid is a daemon service for kimchi which is a
>> HTML5 based management tool for KVM. It is designed to make it as
>> easy as possible to get started with KVM and create your first
>> guest.</description>
>> + <port protocol="tcp" port="8000"/>
>> + <port protocol="tcp" port="8001"/>
>> +</service>
>