Changes: v4: Write README instructions based on README-federation add iptables rules v3: Remove postint file from debian Append opensuse firewall commands Change README instructions v2: Correct firewalld argument "--permanent" Extend changes to debian Instead of setup firewall and selinux configuration, kimchi will just add the files needed by this setup and describe to the user how security setup will be done in README. Signed-off-by: Ramon Medeiros <ramonn@linux.vnet.ibm.com> --- contrib/DEBIAN/postinst | 28 ---------------------------- contrib/DEBIAN/postrm | 7 ------- contrib/kimchi.spec.fedora.in | 26 -------------------------- docs/README.md | 31 +++++++++++++++++++++++++++++++ 4 files changed, 31 insertions(+), 61 deletions(-) delete mode 100755 contrib/DEBIAN/postinst diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst deleted file mode 100755 index 5bca009..0000000 --- a/contrib/DEBIAN/postinst +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -e -# -# Project Kimchi -# -# Copyright IBM, Corp. 2013 -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -set +e -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -set -e diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index 9f1d895..ef90b49 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,10 +26,3 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac - -set +e -service firewalld status >/dev/null 2>&1 -if [ $? -eq 0 ]; then - firewall-cmd --remove-service kimchid >/dev/null 2>&1 -fi -set -e diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index e75018e..92d3e49 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi -%if 0%{?with_systemd} -service firewalld status >/dev/null 2>&1 -if [ $? -ne 0 ]; then - service firewalld start >/dev/null 2>&1 -fi -# Add firewalld rules to open 8000 and 8001 port -firewall-cmd --reload >/dev/null 2>&1 -firewall-cmd --add-service kimchid >/dev/null 2>&1 -%else -# Add default iptable rules to open 8000 and 8001 port -iptables -I INPUT -p tcp --dport 8000 -j ACCEPT -iptables -I INPUT -p tcp --dport 8001 -j ACCEPT -iptables -I INPUT -p tcp --dport 64667 -j ACCEPT -service iptables save >/dev/null 2>&1 -%endif -# Add SELinux rules to "open" Kimchi ports -semanage permissive -a httpd_t %preun @@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : - %if 0%{?with_systemd} - firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : - %else - iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : - iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || : - %endif fi exit 0 @@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || : fi exit 0 -# Rollback SELinux rules -semanage permissive -d httpd_t %clean rm -rf $RPM_BUILD_ROOT diff --git a/docs/README.md b/docs/README.md index 823c856..8dcc652 100644 --- a/docs/README.md +++ b/docs/README.md @@ -142,6 +142,37 @@ Run $ sudo kimchid --host=0.0.0.0 +If you cannot access Kimchi, take a look at these 2 points: + +1. Firewall +Kimchi uses by default the ports 8000, 8001 and 64667. To allow incoming connections: + + For system using firewalld, do: + sudo firewall-cmd --add-port 8000 --permanent + sudo firewall-cmd --add-port 8001 --permanent + sudo firewall-cmd --add-port 64667 --permanent + sudo firewall-cmd --reload + + For openSUSE systems, do: + sudo /sbin/SuSEfirewall2 open EXT TCP 8000 + sudo /sbin/SuSEfirewall2 open EXT TCP 8001 + sudo /sbin/SuSEfirewall2 open EXT TCP 64667 + + For system using iptables, do: + sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT + sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT + sudo iptables -A INPUT -p tcp --dport 64667 -j ACCEPT + + +Don't forget to correctly save the rules. + + +2. SELinux + +Allow httpd_t context for Kimchi web server: + +semanage permissive -a httpd_t + Test ---- -- 1.8.3.1