On 01/07/2014 05:52 AM, taget@linux.vnet.ibm.com wrote:

From: Eli Qiao <taget@linux.vnet.ibm.com>

Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.

Please, make sure to test the patch in all those distros.

More comments below.

Add static rules in iptables to on RHEL6.

Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com>
---
  Makefile.am                   |  2 ++
  contrib/DEBIAN/control.in     |  1 +
  contrib/DEBIAN/postinst       |  6 ++++++
  contrib/DEBIAN/postrm         |  2 ++
  contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
  src/Makefile.am               |  1 +
  src/firewalld.xml             |  7 +++++++
  7 files changed, 45 insertions(+)
  create mode 100644 src/firewalld.xml

diff --git a/Makefile.am b/Makefile.am
index 7ab1bd8..b2917eb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -86,6 +86,8 @@ install-deb: install
      $(MKDIR_P) $(DESTDIR)/etc/init
      cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
          $(DESTDIR)/etc/init/kimchid.conf

+    cp -R $(top_srcdir)/src/firewalld.xml \
+        /usr/lib/firewalld/services/kimchid.xml

Why did you change the previous script?
That way you are installing kimchid.xml in the build system.

It should be:

# Create the dir first
$(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services

# copy it to the right location
cp -R $(top_srcdir)/src/firewalld.xml $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml

  deb: contrib/make-deb.sh
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index eecfb27..bfbe83d 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -19,6 +19,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
           sosreport,
           python-ipaddr,
           open-iscsi
+         firewalld

make[1]: Leaving directory `/home/alinefm/kimchi'
dpkg-deb: error: parsing file '/tmp/tmp.V1vHEVEY9P/DEBIAN/control' near line 22 package 'kimchi':
 `Depends' field, syntax error after reference to package `open-iscsi'

There is missing a comma after 'open-iscsi'

  Build-Depends:
  Maintainer: Aline Manera <alinefm@br.ibm.com>
  Description: Kimchi web server
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index c1fc22e..2726753 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -19,3 +19,9 @@
  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

  service kimchid start

+service firewalld status | grep "not running" >/dev/null 2>&1
+if [[ $? -eq 0 ]]; then
+    service firewalld start >/dev/null 2>&1
+fi
+firewall-cmd --reload  >/dev/null 2>&1
+firewall-cmd --add-service kimchid  >/dev/null 2>&1

diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index ef90b49..22db3ce 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,3 +26,5 @@ case "$1" in
          rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
      ;;
  esac
+
+firewall-cmd --remove-service kimchid >/dev/null 2>&1
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 75435b3..a8e4e4d 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -35,6 +35,7 @@ BuildRequires:    python-unittest2

  %if 0%{?with_systemd}
  Requires:    systemd
+Requires:    firewalld
  Requires(post): systemd
  Requires(preun): systemd
  Requires(postun): systemd
@@ -64,6 +65,7 @@ make DESTDIR=%{buildroot} install
  %if 0%{?with_systemd}
  # Install the systemd scripts
  install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service
+install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
  %endif

  %if 0%{?rhel} == 6
@@ -88,12 +90,35 @@ start kimchid
  service kimchid start
  %endif

+%if 0%{?with_systemd}
+service firewalld status | grep "active (running)" >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+    service firewalld start >/dev/null 2>&1
+fi
+# Add firewalld rules to open 8000 and 8001 port
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
+%else
+# Add default iptable rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
+%endif
+
  %preun
+
  if [ $1 -eq 0 ] ; then
      # Package removal, not upgrade
      /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
      /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
+    %if 0%{?with_systemd}
+        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
+    %else
+        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
+        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
+    %endif
  fi
+
  exit 0


@@ -156,6 +181,7 @@ rm -rf $RPM_BUILD_ROOT

  %if 0%{?with_systemd}
  %{_unitdir}/kimchid.service
+%{_prefix}/lib/firewalld/services/kimchid.xml
  %endif
  %if 0%{?rhel} == 6
  /etc/init/kimchid.conf
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d29e28..7514870 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d

  EXTRA_DIST = kimchid.in \
      kimchi.conf.in \
+    firewalld.xml \
      $(NULL)

  bin_SCRIPTS = kimchid
diff --git a/src/firewalld.xml b/src/firewalld.xml
new file mode 100644
index 0000000..7472e20
--- /dev/null
+++ b/src/firewalld.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>kimchid</short>
+  <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description>
+  <port protocol="tcp" port="8000"/>
+  <port protocol="tcp" port="8001"/>
+</service>

_______________________________________________
Kimchi-devel mailing list
Kimchi-devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel