Instead of setup firewall and selinux configuration, kimchi will just
add the files needed by this setup and describe to the user how security
setup will be done in README.
Signed-off-by: Ramon Medeiros <ramonn(a)linux.vnet.ibm.com>
---
contrib/kimchi.spec.fedora.in | 26 --------------------------
docs/README.md | 27 +++++++++++++++++++++++++++
2 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index e75018e..92d3e49 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi
-%if 0%{?with_systemd}
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
- service firewalld start >/dev/null 2>&1
-fi
-# Add firewalld rules to open 8000 and 8001 port
-firewall-cmd --reload >/dev/null 2>&1
-firewall-cmd --add-service kimchid >/dev/null 2>&1
-%else
-# Add default iptable rules to open 8000 and 8001 port
-iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
-iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
-iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
-service iptables save >/dev/null 2>&1
-%endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
%preun
@@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
/bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
- %if 0%{?with_systemd}
- firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
- %else
- iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
- iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
- iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
- %endif
fi
exit 0
@@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
/bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
fi
exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
%clean
rm -rf $RPM_BUILD_ROOT
diff --git a/docs/README.md b/docs/README.md
index 823c856..00287eb 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -197,6 +197,33 @@ is configured as:
(2) Chown of export path as libvirt user, group as kvm group,
In order to make sure all mapped user can get into the mount point.
+
+Troubleshooting
+---------------
+
+1. Firewall
+Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way
to add the rules:
+
+firewall-cmd --reload
+firewall-cmd --add-service --permanent kimchid
+
+If you want to add directly to iptables:
+
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
+service iptables save
+
+Don't forget to correctly save the rules.
+
+
+2. SELinux
+
+Allow httpd_t context for Kimchi web server:
+
+semanage permissive -a httpd_t
+
+
Participating
-------------
--
1.8.3.1