[PATCH] Issue #456: Firewall ports are not open after firewall restart
Instead of setup firewall and selinux configuration, kimchi will just add the files needed by this setup and describe to the user how security setup will be done in README. Signed-off-by: Ramon Medeiros <ramonn@linux.vnet.ibm.com> --- contrib/kimchi.spec.fedora.in | 26 -------------------------- docs/README.md | 27 +++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index e75018e..92d3e49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi -%if 0%{?with_systemd} -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -# Add firewalld rules to open 8000 and 8001 port -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -%else -# Add default iptable rules to open 8000 and 8001 port -iptables -I INPUT -p tcp --dport 8000 -j ACCEPT -iptables -I INPUT -p tcp --dport 8001 -j ACCEPT -iptables -I INPUT -p tcp --dport 64667 -j ACCEPT -service iptables save >/dev/null 2>&1 -%endif -# Add SELinux rules to "open" Kimchi ports -semanage permissive -a httpd_t %preun @@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : - %if 0%{?with_systemd} - firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : - %else - iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || : - %endif fi exit 0 @@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || : fi exit 0 -# Rollback SELinux rules -semanage permissive -d httpd_t %clean rm -rf $RPM_BUILD_ROOT diff --git a/docs/README.md b/docs/README.md index 823c856..00287eb 100644 --- a/docs/README.md +++ b/docs/README.md @@ -197,6 +197,33 @@ is configured as: (2) Chown of export path as libvirt user, group as kvm group, In order to make sure all mapped user can get into the mount point. + +Troubleshooting +--------------- + +1. Firewall +Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules: + +firewall-cmd --reload +firewall-cmd --add-service --permanent kimchid + +If you want to add directly to iptables: + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +iptables -I INPUT -p tcp --dport 64667 -j ACCEPT +service iptables save + +Don't forget to correctly save the rules. + + +2. SELinux + +Allow httpd_t context for Kimchi web server: + +semanage permissive -a httpd_t + + Participating ------------- -- 1.8.3.1
On 06-01-2015 14:50, Ramon Medeiros wrote:
+ +Troubleshooting +---------------
IMO, this section shouldn't be named "Troubleshooting" because those actions are required in order for Kimchi to work in a remote client. It's not as if the user did something wrong and this section should help them to fix it; this is a required extra step, in my view.
+Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules: *an* easy way
Also, shouldn't this patch remove the firewall commands from contrib/DEBIAN/* as well?
On 01/06/2015 04:53 PM, Crístian Viana wrote:
On 06-01-2015 14:50, Ramon Medeiros wrote:
+ +Troubleshooting +---------------
IMO, this section shouldn't be named "Troubleshooting" because those actions are required in order for Kimchi to work in a remote client. It's not as if the user did something wrong and this section should help them to fix it; this is a required extra step, in my view.
+Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules: *an* easy way
Also, shouldn't this patch remove the firewall commands from contrib/DEBIAN/* as well? The bug did not claimed for this issue on debian. I will check.
-- Ramon Nunes Medeiros Kimchi Developer Software Engineer - Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com
If you remove the firewall and SELinux commands from one distro, you have to do the same for all supported distros by Kimchi. Also, there is a solution to the issue of rules don't be persistent after a service restart or machine reboot. IMO, all these security code and tricks can be moved to a new plugin. If the user is interested to use the project security rules, he/she install the plugin. That's my 2 cents! Paulo Vital. On Tue Jan 06 2015 at 8:42:46 PM Ramon Medeiros <ramonn@linux.vnet.ibm.com> wrote:
On 01/06/2015 04:53 PM, Crístian Viana wrote:
On 06-01-2015 14:50, Ramon Medeiros wrote:
+ +Troubleshooting +---------------
IMO, this section shouldn't be named "Troubleshooting" because those actions are required in order for Kimchi to work in a remote client. It's not as if the user did something wrong and this section should help them to fix it; this is a required extra step, in my view.
+Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules: *an* easy way
Also, shouldn't this patch remove the firewall commands from contrib/DEBIAN/* as well? The bug did not claimed for this issue on debian. I will check.
-- Ramon Nunes Medeiros Kimchi Developer Software Engineer - Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 07/01/2015 06:04, Paulo Ricardo Paz Vital wrote:
If you remove the firewall and SELinux commands from one distro, you have to do the same for all supported distros by Kimchi. Also, there is a solution to the issue of rules don't be persistent after a service restart or machine reboot.
Yeap! Ramon, please also check the kimchi.spec.suse.in and add instructions to setup the firewall correct there too. You can check README-federation that also contains firewall rules.
IMO, all these security code and tricks can be moved to a new plugin. If the user is interested to use the project security rules, he/she install the plugin.
We continue installing the firewalld config file. We are just removing the commands. As user may change the ports as they want I don't think a plugin will take a big difference here.
That's my 2 cents! Paulo Vital.
On Tue Jan 06 2015 at 8:42:46 PM Ramon Medeiros <ramonn@linux.vnet.ibm.com <mailto:ramonn@linux.vnet.ibm.com>> wrote:
On 01/06/2015 04:53 PM, Crístian Viana wrote: > On 06-01-2015 14:50, Ramon Medeiros wrote: >> + >> +Troubleshooting >> +--------------- > > IMO, this section shouldn't be named "Troubleshooting" because those > actions are required in order for Kimchi to work in a remote client. > It's not as if the user did something wrong and this section should > help them to fix it; this is a required extra step, in my view. > >> +Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, >> there is a easy way to add the rules: > *an* easy way > > Also, shouldn't this patch remove the firewall commands from > contrib/DEBIAN/* as well? The bug did not claimed for this issue on debian. I will check.
-- Ramon Nunes Medeiros Kimchi Developer Software Engineer - Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com <mailto:ramonn@br.ibm.com>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org <mailto:Kimchi-devel@ovirt.org> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 01/08/2015 05:19 PM, Aline Manera wrote:
On 07/01/2015 06:04, Paulo Ricardo Paz Vital wrote:
If you remove the firewall and SELinux commands from one distro, you have to do the same for all supported distros by Kimchi. Also, there is a solution to the issue of rules don't be persistent after a service restart or machine reboot.
Yeap!
Ramon, please also check the kimchi.spec.suse.in and add instructions to setup the firewall correct there too. You can check README-federation that also contains firewall rules.
we don't have any firewall change in suse spec. So, the changes will only happen on fedora and debian.
IMO, all these security code and tricks can be moved to a new plugin. If the user is interested to use the project security rules, he/she install the plugin.
We continue installing the firewalld config file. We are just removing the commands. As user may change the ports as they want I don't think a plugin will take a big difference here.
That's my 2 cents! Paulo Vital.
On Tue Jan 06 2015 at 8:42:46 PM Ramon Medeiros <ramonn@linux.vnet.ibm.com <mailto:ramonn@linux.vnet.ibm.com>> wrote:
On 01/06/2015 04:53 PM, Crístian Viana wrote: > On 06-01-2015 14:50, Ramon Medeiros wrote: >> + >> +Troubleshooting >> +--------------- > > IMO, this section shouldn't be named "Troubleshooting" because those > actions are required in order for Kimchi to work in a remote client. > It's not as if the user did something wrong and this section should > help them to fix it; this is a required extra step, in my view. > >> +Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, >> there is a easy way to add the rules: > *an* easy way > > Also, shouldn't this patch remove the firewall commands from > contrib/DEBIAN/* as well? The bug did not claimed for this issue on debian. I will check.
-- Ramon Nunes Medeiros Kimchi Developer Software Engineer - Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com <mailto:ramonn@br.ibm.com>
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org <mailto:Kimchi-devel@ovirt.org> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Ramon Nunes Medeiros Kimchi Developer Software Engineer - Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com
On 06-01-2015 14:50, Ramon Medeiros wrote:
+firewall-cmd --reload +firewall-cmd --add-service --permanent kimchid + The command above doesn't work on Fedora 21:
$ sudo firewall-cmd --add-service --permanent kimchid usage: see firewall-cmd man page firewall-cmd: error: argument --add-service: expected one argument
On 01/07/2015 11:46 AM, Crístian Viana wrote:
On 06-01-2015 14:50, Ramon Medeiros wrote:
+firewall-cmd --reload +firewall-cmd --add-service --permanent kimchid + The command above doesn't work on Fedora 21:
$ sudo firewall-cmd --add-service --permanent kimchid usage: see firewall-cmd man page firewall-cmd: error: argument --add-service: expected one argument you need to put permanent in the end:
firewall-cmd --add-service kimchid --permanent -- Ramon Nunes Medeiros Kimchi Developer Software Engineer - Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com
On 07/01/2015 11:53, Ramon Medeiros wrote:
On 01/07/2015 11:46 AM, Crístian Viana wrote:
On 06-01-2015 14:50, Ramon Medeiros wrote:
+firewall-cmd --reload +firewall-cmd --add-service --permanent kimchid + The command above doesn't work on Fedora 21:
$ sudo firewall-cmd --add-service --permanent kimchid usage: see firewall-cmd man page firewall-cmd: error: argument --add-service: expected one argument you need to put permanent in the end:
firewall-cmd --add-service kimchid --permanent
If that last command works for more distributions, let's use it in our documentation.
participants (4)
-
Aline Manera -
Crístian Viana -
Paulo Ricardo Paz Vital -
Ramon Medeiros