[PATCH V7 0/1] Open 8000 and 8001 port by default for distro packages
From: Eli Qiao <taget@linux.vnet.ibm.com> V7 -V6 changes: 1. Remove firewalld message when install kimchi rpm on fedora/RHEL 2. Start firewalld service if not start 3. Ship kimchid.xml to ubuntu distro in Makefile.am V6 -V5 changes: 1.Keep specific condition for RHEL6 when starting kimchid service 2.Remove full path of firewall-cmd in postrm V5 - V4 changes: 1. Add cover-letter. (Aline) 2. Move clean up rules into if condition. (Aline) 3. Use with_systemd condition to check if use firewalld rules. (Aline) 4. Fix typo (Aline) V4 - V3 changes: 1 Fix typo in firewalld.xml (Rodrigo) V3 - V2 changes: 1.Rename kimchid.xml to firewalld.xml (Mark) 2.Remove firewalld from serivce require (Mark) 3.Fix typo V2 - V1 changes: 1.Add firewalld sevice configure file kimchid.xml to help open iptables port (Mark) 2.Add Ubuntu iptables rule (Royce) Eli Qiao (1): spec: Open 8000 and 8001 port by default Makefile.am | 3 +++ contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 6 ++++++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml -- 1.8.3.1
From: Eli Qiao <taget@linux.vnet.ibm.com> Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu. Add static rules in iptables to on RHEL6. Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com> --- Makefile.am | 3 +++ contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 6 ++++++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml diff --git a/Makefile.am b/Makefile.am index 1fb3502..83dab8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,8 +79,11 @@ all-local: install-deb: install cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/ $(MKDIR_P) $(DESTDIR)/etc/init + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \ $(DESTDIR)/etc/init/kimchid.conf + cp -R $(top_srcdir)/src/firewalld.xml \ + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml deb: contrib/make-deb.sh diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera <alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..2726753 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA service kimchid start +service firewalld status | grep "not running" >/dev/null 2>&1 +if [[ $? -eq 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..22db3ce 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +firewall-cmd --remove-service kimchid >/dev/null 2>&1 diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 3044fc8..3bb5b1c 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2 %if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 @@ -87,12 +89,35 @@ start kimchid service kimchid start %endif +%if 0%{?with_systemd} +service firewalld status | grep "active (running)" >/dev/null 2>&1 +if [[ $? -ne 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +# Add firewalld rules to open 8000 and 8001 port +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 +%else +# Add default iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 +%endif + %preun + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : + %if 0%{?with_systemd} + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : + %else + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : + %endif fi + exit 0 @@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT %if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 190b2be..be5172d 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %clean rm -rf $RPM_BUILD_ROOT diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL) bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..7472e20 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description> + <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service> -- 1.8.3.1
于 2014/1/6 14:10, taget@linux.vnet.ibm.com 写道:
From: Eli Qiao <taget@linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu. Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com> --- Makefile.am | 3 +++ contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 6 ++++++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am index 1fb3502..83dab8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,8 +79,11 @@ all-local: install-deb: install cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/ $(MKDIR_P) $(DESTDIR)/etc/init + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services I think the firewalld service is assumed to be started before kimchi is installed and the "*/firewalld/services directory" is already exisiting. Also, the firewalld is assumed be under system directory which should not be prefixed by $(DESTDIR).
cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \ $(DESTDIR)/etc/init/kimchid.conf + cp -R $(top_srcdir)/src/firewalld.xml \ + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera <alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..2726753 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start +service firewalld status | grep "not running" >/dev/null 2>&1 +if [[ $? -eq 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..22db3ce 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +firewall-cmd --remove-service kimchid >/dev/null 2>&1 diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 3044fc8..3bb5b1c 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif
%if 0%{?rhel} == 6 @@ -87,12 +89,35 @@ start kimchid service kimchid start %endif
+%if 0%{?with_systemd} +service firewalld status | grep "active (running)" >/dev/null 2>&1 +if [[ $? -ne 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +# Add firewalld rules to open 8000 and 8001 port +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 +%else +# Add default iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 +%endif + %preun + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : + %if 0%{?with_systemd} + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : + %else + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : + %endif fi + exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 190b2be..be5172d 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %clean rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL)
bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..7472e20 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description> + <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service>
* **opensuse-vm*:~/kimchi # rpm -ivh /root/kimchi/rpm/RPMS/x86_64/kimchi-1.1.0-51.git831ea68.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:kimchi-1.1.0-51.git831ea68 ################################# [100%] warning: %post(kimchi-1.1.0-51.git831ea68.x86_64) scriptlet failed, exit status 1 While running all command from post section manually I got: opensuse-vm:~/kimchi # service iptables save service: no such service iptables In opensuse you need to use /sbin/SuSEfirewall2 On 01/06/2014 04:10 AM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao <taget@linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu. Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com> --- Makefile.am | 3 +++ contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 6 ++++++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am index 1fb3502..83dab8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,8 +79,11 @@ all-local: install-deb: install cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/ $(MKDIR_P) $(DESTDIR)/etc/init + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \ $(DESTDIR)/etc/init/kimchid.conf + cp -R $(top_srcdir)/src/firewalld.xml \ + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera <alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..2726753 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start +service firewalld status | grep "not running" >/dev/null 2>&1 +if [[ $? -eq 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..22db3ce 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +firewall-cmd --remove-service kimchid >/dev/null 2>&1 diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 3044fc8..3bb5b1c 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif
%if 0%{?rhel} == 6 @@ -87,12 +89,35 @@ start kimchid service kimchid start %endif
+%if 0%{?with_systemd} +service firewalld status | grep "active (running)" >/dev/null 2>&1 +if [[ $? -ne 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +# Add firewalld rules to open 8000 and 8001 port +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 +%else +# Add default iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 +%endif + %preun + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : + %if 0%{?with_systemd} + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : + %else + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : + %endif fi + exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 190b2be..be5172d 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %clean rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL)
bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..7472e20 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description> + <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service>
? 2014?01?07? 01:31, Aline Manera ??:
* **opensuse-vm*:~/kimchi # rpm -ivh /root/kimchi/rpm/RPMS/x86_64/kimchi-1.1.0-51.git831ea68.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:kimchi-1.1.0-51.git831ea68 ################################# [100%] warning: %post(kimchi-1.1.0-51.git831ea68.x86_64) scriptlet failed, exit status 1
While running all command from post section manually I got:
opensuse-vm:~/kimchi # service iptables save service: no such service iptables
In opensuse you need to use /sbin/SuSEfirewall2
hello Aline thanks for your testing and comments I am not quite familiar with open suse or environment , so I have not so much confident with the changes for suse. I'd like to remove changes for suse from this patch, and Could you please merge my patch and I will send a following separate patch to support suse later ? will send a new version to remove this change for suse. thanks Eli
On 01/06/2014 04:10 AM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao<taget@linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu. Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao<taget@linux.vnet.ibm.com> --- Makefile.am | 3 +++ contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 6 ++++++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am index 1fb3502..83dab8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,8 +79,11 @@ all-local: install-deb: install cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/ $(MKDIR_P) $(DESTDIR)/etc/init + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \ $(DESTDIR)/etc/init/kimchid.conf + cp -R $(top_srcdir)/src/firewalld.xml \ + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera<alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..2726753 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start +service firewalld status | grep "not running" >/dev/null 2>&1 +if [[ $? -eq 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..22db3ce 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +firewall-cmd --remove-service kimchid >/dev/null 2>&1 diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 3044fc8..3bb5b1c 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif
%if 0%{?rhel} == 6 @@ -87,12 +89,35 @@ start kimchid service kimchid start %endif
+%if 0%{?with_systemd} +service firewalld status | grep "active (running)" >/dev/null 2>&1 +if [[ $? -ne 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +# Add firewalld rules to open 8000 and 8001 port +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 +%else +# Add default iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 +%endif + %preun + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : + %if 0%{?with_systemd} + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : + %else + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : + %endif fi + exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 190b2be..be5172d 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %clean rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL)
bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..7472e20 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description> + <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service>
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H
On 01/07/2014 05:44 AM, Eli Qiao wrote:
? 2014?01?07? 01:31, Aline Manera ??:
* **opensuse-vm*:~/kimchi # rpm -ivh /root/kimchi/rpm/RPMS/x86_64/kimchi-1.1.0-51.git831ea68.x86_64.rpm Preparing... ################################# [100%] Updating / installing... 1:kimchi-1.1.0-51.git831ea68 ################################# [100%] warning: %post(kimchi-1.1.0-51.git831ea68.x86_64) scriptlet failed, exit status 1
While running all command from post section manually I got:
opensuse-vm:~/kimchi # service iptables save service: no such service iptables
In opensuse you need to use /sbin/SuSEfirewall2
hello Aline thanks for your testing and comments I am not quite familiar with open suse or environment , so I have not so much confident with the changes for suse. I'd like to remove changes for suse from this patch, and Could you please merge my patch and I will send a following separate patch to support suse later ? will send a new version to remove this change for suse.
No problem. Just don't forget to send the SUSE code
thanks Eli
On 01/06/2014 04:10 AM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao<taget@linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu. Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao<taget@linux.vnet.ibm.com> --- Makefile.am | 3 +++ contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 6 ++++++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 8 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am index 1fb3502..83dab8b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,8 +79,11 @@ all-local: install-deb: install cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/ $(MKDIR_P) $(DESTDIR)/etc/init + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \ $(DESTDIR)/etc/init/kimchid.conf + cp -R $(top_srcdir)/src/firewalld.xml \ + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera<alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..2726753 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,9 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start +service firewalld status | grep "not running" >/dev/null 2>&1 +if [[ $? -eq 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..22db3ce 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +firewall-cmd --remove-service kimchid >/dev/null 2>&1 diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 3044fc8..3bb5b1c 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif
%if 0%{?rhel} == 6 @@ -87,12 +89,35 @@ start kimchid service kimchid start %endif
+%if 0%{?with_systemd} +service firewalld status | grep "active (running)" >/dev/null 2>&1 +if [[ $? -ne 0 ]]; then + service firewalld start >/dev/null 2>&1 +fi +# Add firewalld rules to open 8000 and 8001 port +firewall-cmd --reload >/dev/null 2>&1 +firewall-cmd --add-service kimchid >/dev/null 2>&1 +%else +# Add default iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 +%endif + %preun + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : + %if 0%{?with_systemd} + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || : + %else + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || : + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || : + %endif fi + exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 190b2be..be5172d 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save >/dev/null 2>&1 %clean rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL)
bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..7472e20 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description> + <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service>
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H
participants (4)
-
Aline Manera -
Eli Qiao -
Shu Ming -
taget@linux.vnet.ibm.com