2:40 a.m.
Reviewed-by: Shu Ming <shuming(a)linux.vnet.ibm.com>
2014/1/7 15:52, taget(a)linux.vnet.ibm.com:
From: Eli Qiao <taget(a)linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao <taget(a)linux.vnet.ibm.com>
---
Makefile.am | 2 ++
contrib/DEBIAN/control.in | 1 +
contrib/DEBIAN/postinst | 6 ++++++
contrib/DEBIAN/postrm | 2 ++
contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
src/Makefile.am | 1 +
src/firewalld.xml | 7 +++++++
7 files changed, 45 insertions(+)
create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am
index 7ab1bd8..b2917eb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -86,6 +86,8 @@ install-deb: install
$(MKDIR_P) $(DESTDIR)/etc/init
cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
$(DESTDIR)/etc/init/kimchid.conf
+ cp -R $(top_srcdir)/src/firewalld.xml \
+ /usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index eecfb27..bfbe83d 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -19,6 +19,7 @@ Depends: python-cherrypy3 (>= 3.2.0),
sosreport,
python-ipaddr,
open-iscsi
+ firewalld
Build-Depends:
Maintainer: Aline Manera <alinefm(a)br.ibm.com>
Description: Kimchi web server
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index c1fc22e..2726753 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -19,3 +19,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start
+service firewalld status | grep "not running" >/dev/null 2>&1
+if [[ $? -eq 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index ef90b49..22db3ce 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,3 +26,5 @@ case "$1" in
rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
;;
esac
+
+firewall-cmd --remove-service kimchid >/dev/null 2>&1
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 75435b3..a8e4e4d 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -35,6 +35,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd}
Requires: systemd
+Requires: firewalld
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@@ -64,6 +65,7 @@ make DESTDIR=%{buildroot} install
%if 0%{?with_systemd}
# Install the systemd scripts
install -Dm 0644 contrib/kimchid.service.fedora
%{buildroot}%{_unitdir}/kimchid.service
+install -Dm 0640 src/firewalld.xml
%{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
@@ -88,12 +90,35 @@ start kimchid
service kimchid start
%endif
+%if 0%{?with_systemd}
+service firewalld status | grep "active (running)" >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+# Add firewalld rules to open 8000 and 8001 port
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
+%else
+# Add default iptable rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
+%endif
+
%preun
+
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
/bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
+ %if 0%{?with_systemd}
+ firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
+ %else
+ iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
+ iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
+ %endif
fi
+
exit 0
@@ -156,6 +181,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd}
%{_unitdir}/kimchid.service
+%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
/etc/init/kimchid.conf
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d29e28..7514870 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \
kimchi.conf.in \
+ firewalld.xml \
$(NULL)
bin_SCRIPTS = kimchid
diff --git a/src/firewalld.xml b/src/firewalld.xml
new file mode 100644
index 0000000..7472e20
--- /dev/null
+++ b/src/firewalld.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>kimchid</short>
+ <description>Kimchid is a daemon service for kimchi which is a HTML5 based
management tool for KVM. It is designed to make it as easy as possible to get started with
KVM and create your first guest.</description>
+ <port protocol="tcp" port="8000"/>
+ <port protocol="tcp" port="8001"/>
+</service>