Re: [Kimchi-devel] [project-kimchi] [PATCH] spec: Open 8000 and 8001 port by default in spec.in post section. kimchi server use 8000 and 8001 port. Open 8000 and 8001 port by default in spec.in post section.

On 12/17/2013 02:36 PM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao <taget@linux.vnet.ibm.com>
Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com> --- contrib/kimchi.spec.fedora.in | 5 +++++ contrib/kimchi.spec.suse.in | 5 +++++ 2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 14ec359..f21ae49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -81,6 +81,11 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %if 0%{?rhel} == 6 start kimchid %else diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 9051284..5209e03 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -47,6 +47,11 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid service kimchid start chkconfig kimchid on
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %preun service kimchid stop
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file. Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html It could be a better solution for the platforms where firewalld is available. -- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.

CCed to kimchi-devel and see the comment line below ? 2013/12/18 19:00, Mark Wu ??:
On 12/17/2013 02:36 PM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao<taget@linux.vnet.ibm.com>
Signed-off-by: Eli Qiao<taget@linux.vnet.ibm.com> --- contrib/kimchi.spec.fedora.in | 5 +++++ contrib/kimchi.spec.suse.in | 5 +++++ 2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 14ec359..f21ae49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -81,6 +81,11 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %if 0%{?rhel} == 6 start kimchid %else diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 9051284..5209e03 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -47,6 +47,11 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid service kimchid start chkconfig kimchid on
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %preun service kimchid stop
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file.
Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html
It could be a better solution for the platforms where firewalld is available. Also, we should be careful about the iptbales rules position in file to avoid it is masked by other rules. And we may need to remove the rules in rpm remove operations.
-- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi <https://groups.google.com/forum/#%21forum/project-kimchi> --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.

On 2013?12?18? 19:00, Mark Wu wrote:
On 12/17/2013 02:36 PM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao<taget@linux.vnet.ibm.com>
Signed-off-by: Eli Qiao<taget@linux.vnet.ibm.com> --- contrib/kimchi.spec.fedora.in | 5 +++++ contrib/kimchi.spec.suse.in | 5 +++++ 2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 14ec359..f21ae49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -81,6 +81,11 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %if 0%{?rhel} == 6 start kimchid %else diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 9051284..5209e03 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -47,6 +47,11 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid service kimchid start chkconfig kimchid on
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %preun service kimchid stop
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file.
Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html
It could be a better solution for the platforms where firewalld is available. Good point, took a look at vdsm, it manipulates with '/etc/sysconfig/iptables' when installation. We may also try this way. -- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi <https://groups.google.com/forum/#%21forum/project-kimchi> --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
-- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.

On 2013?12?18? 19:00, Mark Wu wrote:
On 12/17/2013 02:36 PM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao<taget@linux.vnet.ibm.com>
Signed-off-by: Eli Qiao<taget@linux.vnet.ibm.com> --- contrib/kimchi.spec.fedora.in | 5 +++++ contrib/kimchi.spec.suse.in | 5 +++++ 2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 14ec359..f21ae49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -81,6 +81,11 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %if 0%{?rhel} == 6 start kimchid %else diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 9051284..5209e03 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -47,6 +47,11 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid service kimchid start chkconfig kimchid on
+# open 8000 and 8001 port for firewall + +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT + %preun service kimchid stop
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file.
Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html
It could be a better solution for the platforms where firewalld is available. Good point, took a look at vdsm, it manipulates with '/etc/sysconfig/iptables' when installation. We may also try this way. -- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi <https://groups.google.com/forum/#%21forum/project-kimchi> --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.

? 2013?12?18? 19:00, Mark Wu ??:
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file.
Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html
It could be a better solution for the platforms where firewalld is available. hi Mark thanks for your comments, I did some investigation, this is a good solution, fedora and ubuntu has firewalld support. but RHEL not. as far as i know kimchi should support RHEL also, if we chose this solution, how about RHEL?
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H * ? ? - ??? * ?? * ?? <javascript:void(0);> -- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.

? 2013?12?19? 15:34, Eli Qiao ??:
? 2013?12?18? 19:00, Mark Wu ??:
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file.
Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html
It could be a better solution for the platforms where firewalld is available. hi Mark thanks for your comments, I did some investigation, this is a good solution, fedora and ubuntu has firewalld support. but RHEL not. as far as i know kimchi should support RHEL also, if we chose this solution, how about RHEL?
just got an update, RHEL7 will support firewalld. we should decided how to go on. thanks Eli
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H
* ? ? - ??? * ??
* ??
-- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi <https://groups.google.com/forum/#%21forum/project-kimchi> --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H -- project-kimchi mailing list <project-kimchi@googlegroups.com> https://groups.google.com/forum/#!forum/project-kimchi --- You received this message because you are subscribed to the Google Groups "project-kimchi" group. To unsubscribe from this group and stop receiving emails from it, send an email to project-kimchi+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.

On 12/19/2013 03:34 PM, Eli Qiao wrote:
? 2013?12?18? 19:00, Mark Wu ??:
Eli, Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot. And shipping a configuration file is better than running commands in spec file.
Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html
It could be a better solution for the platforms where firewalld is available. hi Mark thanks for your comments, I did some investigation, this is a good solution, fedora and ubuntu has firewalld support. but RHEL not. as far as i know kimchi should support RHEL also, if we chose this solution, how about RHEL?
We could handle it separately: use static rules on RHEL and use firewall for other platforms
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H
* ? ? - ??? * ??
* ??
participants (4)
-
Eli Qiao
-
Mark Wu
-
Royce Lv
-
Shu Ming