On 08/01/2015 17:34, Ramon Medeiros wrote:
Changes
v2:
Correct firewalld argument "--permanent"
Extend changes to debian
Instead of setup firewall and selinux configuration, kimchi will just
add the files needed by this setup and describe to the user how security
setup will be done in README.
Signed-off-by: Ramon Medeiros <ramonn(a)linux.vnet.ibm.com>
---
contrib/DEBIAN/postinst | 9 ---------
contrib/DEBIAN/postrm | 7 -------
contrib/kimchi.spec.fedora.in | 26 --------------------------
docs/README.md | 25 +++++++++++++++++++++++++
4 files changed, 25 insertions(+), 42 deletions(-)
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index 5bca009..5a300bc 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -17,12 +17,3 @@
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
- service firewalld start >/dev/null 2>&1
-fi
-firewall-cmd --reload >/dev/null 2>&1
-firewall-cmd --add-service kimchid >/dev/null 2>&1
-set -e
Seems this file is empty now. So we can remove it.
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index 9f1d895..ef90b49 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,10 +26,3 @@ case "$1" in
rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
;;
esac
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -eq 0 ]; then
- firewall-cmd --remove-service kimchid >/dev/null 2>&1
-fi
-set -e
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index e75018e..92d3e49 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi
-%if 0%{?with_systemd}
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
- service firewalld start >/dev/null 2>&1
-fi
-# Add firewalld rules to open 8000 and 8001 port
-firewall-cmd --reload >/dev/null 2>&1
-firewall-cmd --add-service kimchid >/dev/null 2>&1
-%else
-# Add default iptable rules to open 8000 and 8001 port
-iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
-iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
-iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
-service iptables save >/dev/null 2>&1
-%endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
%preun
@@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
/bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
- %if 0%{?with_systemd}
- firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
- %else
- iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
- iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
- iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
- %endif
fi
exit 0
@@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
/bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
fi
exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
%clean
rm -rf $RPM_BUILD_ROOT
diff --git a/docs/README.md b/docs/README.md
index 823c856..c68f625 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -142,6 +142,30 @@ Run
$ sudo kimchid --host=0.0.0.0
+If you cannot access Kimchi, take a look at this 2 points:
s/this/these
+
+1. Firewall
+Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way
to add the rules:
Kimchi uses *by default* the ports 8000, 80001 and 64667.
For system using firewalls, do:
+
+firewall-cmd --reload
+firewall-cmd --add-service kimchid --permanent
+
I think "firewall-cmd --reload" should be run after adding the new
rules.
Also I think "firewall-cmd --add-service kimchid --permanent " will only
work if the user has Kimchi properly installed on system.
So I suggest to guide user to open port by port
sudo firewall-cmd --add-port 8000 --permanent
sudo firewall-cmd --add-port 8001 --permanent
sudo firewall-cmd --add-port 64667 --permanent
+If you want to add directly to iptables:
+
For system using iptables, do:
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
+service iptables save
Add "sudo" to the commands above
We still need to guide openSUSE users to open the firewall ports.
For openSUSE systems, do:
sudo /sbin/SuSEfirewall2 open EXT TCP 8000
sudo /sbin/SuSEfirewall2 open EXT TCP 8001
sudo /sbin/SuSEfirewall2 open EXT TCP 64667
I am not sure those are the right commands. Please, confirm.
+
+Don't forget to correctly save the rules.
+
+
+2. SELinux
+
+Allow httpd_t context for Kimchi web server:
+
+semanage permissive -a httpd_t
+
Test
----
@@ -197,6 +221,7 @@ is configured as:
(2) Chown of export path as libvirt user, group as kvm group,
In order to make sure all mapped user can get into the mount point.
+
Participating
-------------