[PATCH] Issue #456: Firewall ports are not open after firewall restart v2
Changes v2: Correct firewalld argument "--permanent" Extend changes to debian Instead of setup firewall and selinux configuration, kimchi will just add the files needed by this setup and describe to the user how security setup will be done in README. Signed-off-by: Ramon Medeiros <ramonn@linux.vnet.ibm.com> --- contrib/DEBIAN/postinst | 9 --------- contrib/DEBIAN/postrm | 7 ------- contrib/kimchi.spec.fedora.in | 26 -------------------------- docs/README.md | 25 +++++++++++++++++++++++++ 4 files changed, 25 insertions(+), 42 deletions(-) diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index 5bca009..5a300bc 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -17,12 +17,3 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -set +e -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -set -e diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index 9f1d895..ef90b49 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,10 +26,3 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac - -set +e -service firewalld status >/dev/null 2>&1 -if [ $? -eq 0 ]; then - firewall-cmd --remove-service kimchid >/dev/null 2>&1 -fi -set -e diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index e75018e..92d3e49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi -%if 0%{?with_systemd} -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -# Add firewalld rules to open 8000 and 8001 port -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -%else -# Add default iptable rules to open 8000 and 8001 port -iptables -I INPUT -p tcp --dport 8000 -j ACCEPT -iptables -I INPUT -p tcp --dport 8001 -j ACCEPT -iptables -I INPUT -p tcp --dport 64667 -j ACCEPT -service iptables save >/dev/null 2>&1 -%endif -# Add SELinux rules to "open" Kimchi ports -semanage permissive -a httpd_t %preun @@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : - %if 0%{?with_systemd} - firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : - %else - iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || : - %endif fi exit 0 @@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || : fi exit 0 -# Rollback SELinux rules -semanage permissive -d httpd_t %clean rm -rf $RPM_BUILD_ROOT diff --git a/docs/README.md b/docs/README.md index 823c856..c68f625 100644 --- a/docs/README.md +++ b/docs/README.md @@ -142,6 +142,30 @@ Run $ sudo kimchid --host=0.0.0.0 +If you cannot access Kimchi, take a look at this 2 points: + +1. Firewall +Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules: + +firewall-cmd --reload +firewall-cmd --add-service kimchid --permanent + +If you want to add directly to iptables: + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +iptables -I INPUT -p tcp --dport 64667 -j ACCEPT +service iptables save + +Don't forget to correctly save the rules. + + +2. SELinux + +Allow httpd_t context for Kimchi web server: + +semanage permissive -a httpd_t + Test ---- @@ -197,6 +221,7 @@ is configured as: (2) Chown of export path as libvirt user, group as kvm group, In order to make sure all mapped user can get into the mount point. + Participating ------------- -- 1.8.3.1
On 08/01/2015 17:34, Ramon Medeiros wrote:
Changes
v2:
Correct firewalld argument "--permanent" Extend changes to debian
Instead of setup firewall and selinux configuration, kimchi will just add the files needed by this setup and describe to the user how security setup will be done in README.
Signed-off-by: Ramon Medeiros <ramonn@linux.vnet.ibm.com> --- contrib/DEBIAN/postinst | 9 --------- contrib/DEBIAN/postrm | 7 ------- contrib/kimchi.spec.fedora.in | 26 -------------------------- docs/README.md | 25 +++++++++++++++++++++++++ 4 files changed, 25 insertions(+), 42 deletions(-)
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index 5bca009..5a300bc 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -17,12 +17,3 @@ # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -set +e -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -set -e
Seems this file is empty now. So we can remove it.
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index 9f1d895..ef90b49 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,10 +26,3 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac - -set +e -service firewalld status >/dev/null 2>&1 -if [ $? -eq 0 ]; then - firewall-cmd --remove-service kimchid >/dev/null 2>&1 -fi -set -e diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index e75018e..92d3e49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi
-%if 0%{?with_systemd} -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -# Add firewalld rules to open 8000 and 8001 port -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -%else -# Add default iptable rules to open 8000 and 8001 port -iptables -I INPUT -p tcp --dport 8000 -j ACCEPT -iptables -I INPUT -p tcp --dport 8001 -j ACCEPT -iptables -I INPUT -p tcp --dport 64667 -j ACCEPT -service iptables save >/dev/null 2>&1 -%endif -# Add SELinux rules to "open" Kimchi ports -semanage permissive -a httpd_t
%preun
@@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : - %if 0%{?with_systemd} - firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : - %else - iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || : - %endif fi
exit 0 @@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || : fi exit 0 -# Rollback SELinux rules -semanage permissive -d httpd_t
%clean rm -rf $RPM_BUILD_ROOT diff --git a/docs/README.md b/docs/README.md index 823c856..c68f625 100644 --- a/docs/README.md +++ b/docs/README.md @@ -142,6 +142,30 @@ Run
$ sudo kimchid --host=0.0.0.0
+If you cannot access Kimchi, take a look at this 2 points:
s/this/these
+ +1. Firewall +Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules:
Kimchi uses *by default* the ports 8000, 80001 and 64667. For system using firewalls, do:
+ +firewall-cmd --reload +firewall-cmd --add-service kimchid --permanent + I think "firewall-cmd --reload" should be run after adding the new rules.
Also I think "firewall-cmd --add-service kimchid --permanent " will only work if the user has Kimchi properly installed on system. So I suggest to guide user to open port by port sudo firewall-cmd --add-port 8000 --permanent sudo firewall-cmd --add-port 8001 --permanent sudo firewall-cmd --add-port 64667 --permanent
+If you want to add directly to iptables: +
For system using iptables, do:
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +iptables -I INPUT -p tcp --dport 64667 -j ACCEPT +service iptables save
Add "sudo" to the commands above We still need to guide openSUSE users to open the firewall ports. For openSUSE systems, do: sudo /sbin/SuSEfirewall2 open EXT TCP 8000 sudo /sbin/SuSEfirewall2 open EXT TCP 8001 sudo /sbin/SuSEfirewall2 open EXT TCP 64667 I am not sure those are the right commands. Please, confirm.
+ +Don't forget to correctly save the rules. + + +2. SELinux + +Allow httpd_t context for Kimchi web server: + +semanage permissive -a httpd_t +
Test ---- @@ -197,6 +221,7 @@ is configured as: (2) Chown of export path as libvirt user, group as kvm group, In order to make sure all mapped user can get into the mount point.
+ Participating -------------
participants (2)
-
Aline Manera -
Ramon Medeiros