12:10 a.m.
From: Eli Qiao <taget(a)linux.vnet.ibm.com>
V7 -V6 changes:
1. Remove firewalld message when install kimchi rpm on fedora/RHEL
2. Start firewalld service if not start
3. Ship kimchid.xml to ubuntu distro in Makefile.am
V6 -V5 changes:
1.Keep specific condition for RHEL6 when starting kimchid service
2.Remove full path of firewall-cmd in postrm
V5 - V4 changes:
1. Add cover-letter. (Aline)
2. Move clean up rules into if condition. (Aline)
3. Use with_systemd condition to check if use firewalld rules. (Aline)
4. Fix typo (Aline)
V4 - V3 changes:
1 Fix typo in firewalld.xml (Rodrigo)
V3 - V2 changes:
1.Rename kimchid.xml to firewalld.xml (Mark)
2.Remove firewalld from serivce require (Mark)
3.Fix typo
V2 - V1 changes:
1.Add firewalld sevice configure file kimchid.xml to help open iptables port (Mark)
2.Add Ubuntu iptables rule (Royce)
Eli Qiao (1):
spec: Open 8000 and 8001 port by default
Makefile.am | 3 +++
contrib/DEBIAN/control.in | 3 ++-
contrib/DEBIAN/postinst | 6 ++++++
contrib/DEBIAN/postrm | 2 ++
contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
contrib/kimchi.spec.suse.in | 10 ++++++++--
src/Makefile.am | 1 +
src/firewalld.xml | 7 +++++++
8 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 src/firewalld.xml
--
1.8.3.1
12:10 a.m.
New subject: [PATCH V7 1/1] spec: Open 8000 and 8001 port by default
From: Eli Qiao <taget(a)linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao <taget(a)linux.vnet.ibm.com>
---
Makefile.am | 3 +++
contrib/DEBIAN/control.in | 3 ++-
contrib/DEBIAN/postinst | 6 ++++++
contrib/DEBIAN/postrm | 2 ++
contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
contrib/kimchi.spec.suse.in | 10 ++++++++--
src/Makefile.am | 1 +
src/firewalld.xml | 7 +++++++
8 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am
index 1fb3502..83dab8b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -79,8 +79,11 @@ all-local:
install-deb: install
cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/
$(MKDIR_P) $(DESTDIR)/etc/init
+ $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services
cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
$(DESTDIR)/etc/init/kimchid.conf
+ cp -R $(top_srcdir)/src/firewalld.xml \
+ $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 380584c..c0ea1f1 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
python-psutil (>= 0.6.0),
python-ethtool,
sosreport,
- python-ipaddr
+ python-ipaddr,
+ firewalld
Build-Depends:
Maintainer: Aline Manera <alinefm(a)br.ibm.com>
Description: Kimchi web server
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index c1fc22e..2726753 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -19,3 +19,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start
+service firewalld status | grep "not running" >/dev/null 2>&1
+if [[ $? -eq 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index ef90b49..22db3ce 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,3 +26,5 @@ case "$1" in
rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
;;
esac
+
+firewall-cmd --remove-service kimchid >/dev/null 2>&1
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 3044fc8..3bb5b1c 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd}
Requires: systemd
+Requires: firewalld
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install
%if 0%{?with_systemd}
# Install the systemd scripts
install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service
+install -Dm 0640 src/firewalld.xml
%{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
@@ -87,12 +89,35 @@ start kimchid
service kimchid start
%endif
+%if 0%{?with_systemd}
+service firewalld status | grep "active (running)" >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+# Add firewalld rules to open 8000 and 8001 port
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
+%else
+# Add default iptable rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
+%endif
+
%preun
+
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
/bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
+ %if 0%{?with_systemd}
+ firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
+ %else
+ iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
+ iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
+ %endif
fi
+
exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd}
%{_unitdir}/kimchid.service
+%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
/etc/init/kimchid.conf
diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
index 190b2be..be5172d 100644
--- a/contrib/kimchi.spec.suse.in
+++ b/contrib/kimchi.spec.suse.in
@@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit
%{buildroot}%{_initrddir}/kimchid
%post
service kimchid start
chkconfig kimchid on
-
+# Add iptables rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
%preun
service kimchid stop
-
+# Remove iptables rules to open 8000 and 8001 port
+iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
%clean
rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d29e28..7514870 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \
kimchi.conf.in \
+ firewalld.xml \
$(NULL)
bin_SCRIPTS = kimchid
diff --git a/src/firewalld.xml b/src/firewalld.xml
new file mode 100644
index 0000000..7472e20
--- /dev/null
+++ b/src/firewalld.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>kimchid</short>
+ <description>Kimchid is a daemon service for kimchi which is a HTML5 based
management tool for KVM. It is designed to make it as easy as possible to get started with
KVM and create your first guest.</description>
+ <port protocol="tcp" port="8000"/>
+ <port protocol="tcp" port="8001"/>
+</service>
--
1.8.3.1
2:19 a.m.
New subject: [PATCH V7 1/1] spec: Open 8000 and 8001 port by default
于 2014/1/6 14:10, taget(a)linux.vnet.ibm.com 写道:
From: Eli Qiao <taget(a)linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao <taget(a)linux.vnet.ibm.com>
---
Makefile.am | 3 +++
contrib/DEBIAN/control.in | 3 ++-
contrib/DEBIAN/postinst | 6 ++++++
contrib/DEBIAN/postrm | 2 ++
contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
contrib/kimchi.spec.suse.in | 10 ++++++++--
src/Makefile.am | 1 +
src/firewalld.xml | 7 +++++++
8 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am
index 1fb3502..83dab8b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -79,8 +79,11 @@ all-local:
install-deb: install
cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/
$(MKDIR_P) $(DESTDIR)/etc/init
+ $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services
I think the firewalld service is
assumed to be started before kimchi is
installed and the "*/firewalld/services directory" is already exisiting.
Also, the firewalld is assumed be under system directory which should
not be prefixed by $(DESTDIR).
cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
$(DESTDIR)/etc/init/kimchid.conf
+ cp -R $(top_srcdir)/src/firewalld.xml \
+ $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 380584c..c0ea1f1 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
python-psutil (>= 0.6.0),
python-ethtool,
sosreport,
- python-ipaddr
+ python-ipaddr,
+ firewalld
Build-Depends:
Maintainer: Aline Manera <alinefm(a)br.ibm.com>
Description: Kimchi web server
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index c1fc22e..2726753 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -19,3 +19,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start
+service firewalld status | grep "not running" >/dev/null 2>&1
+if [[ $? -eq 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index ef90b49..22db3ce 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,3 +26,5 @@ case "$1" in
rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
;;
esac
+
+firewall-cmd --remove-service kimchid >/dev/null 2>&1
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 3044fc8..3bb5b1c 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd}
Requires: systemd
+Requires: firewalld
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install
%if 0%{?with_systemd}
# Install the systemd scripts
install -Dm 0644 contrib/kimchid.service.fedora
%{buildroot}%{_unitdir}/kimchid.service
+install -Dm 0640 src/firewalld.xml
%{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
@@ -87,12 +89,35 @@ start kimchid
service kimchid start
%endif
+%if 0%{?with_systemd}
+service firewalld status | grep "active (running)" >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+# Add firewalld rules to open 8000 and 8001 port
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
+%else
+# Add default iptable rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
+%endif
+
%preun
+
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
/bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
+ %if 0%{?with_systemd}
+ firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
+ %else
+ iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
+ iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
+ %endif
fi
+
exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd}
%{_unitdir}/kimchid.service
+%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
/etc/init/kimchid.conf
diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
index 190b2be..be5172d 100644
--- a/contrib/kimchi.spec.suse.in
+++ b/contrib/kimchi.spec.suse.in
@@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit
%{buildroot}%{_initrddir}/kimchid
%post
service kimchid start
chkconfig kimchid on
-
+# Add iptables rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
%preun
service kimchid stop
-
+# Remove iptables rules to open 8000 and 8001 port
+iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
%clean
rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d29e28..7514870 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \
kimchi.conf.in \
+ firewalld.xml \
$(NULL)
bin_SCRIPTS = kimchid
diff --git a/src/firewalld.xml b/src/firewalld.xml
new file mode 100644
index 0000000..7472e20
--- /dev/null
+++ b/src/firewalld.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>kimchid</short>
+ <description>Kimchid is a daemon service for kimchi which is a HTML5 based
management tool for KVM. It is designed to make it as easy as possible to get started with
KVM and create your first guest.</description>
+ <port protocol="tcp" port="8000"/>
+ <port protocol="tcp" port="8001"/>
+</service>
11:31 a.m.
New subject: [PATCH V7 1/1] spec: Open 8000 and 8001 port by default
*
**opensuse-vm*:~/kimchi # rpm -ivh
/root/kimchi/rpm/RPMS/x86_64/kimchi-1.1.0-51.git831ea68.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:kimchi-1.1.0-51.git831ea68 ################################# [100%]
warning: %post(kimchi-1.1.0-51.git831ea68.x86_64) scriptlet failed, exit
status 1
While running all command from post section manually I got:
opensuse-vm:~/kimchi # service iptables save
service: no such service iptables
In opensuse you need to use /sbin/SuSEfirewall2
On 01/06/2014 04:10 AM, taget(a)linux.vnet.ibm.com wrote:
From: Eli Qiao <taget(a)linux.vnet.ibm.com>
Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
Add static rules in iptables to on RHEL6.
Signed-off-by: Eli Qiao <taget(a)linux.vnet.ibm.com>
---
Makefile.am | 3 +++
contrib/DEBIAN/control.in | 3 ++-
contrib/DEBIAN/postinst | 6 ++++++
contrib/DEBIAN/postrm | 2 ++
contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
contrib/kimchi.spec.suse.in | 10 ++++++++--
src/Makefile.am | 1 +
src/firewalld.xml | 7 +++++++
8 files changed, 55 insertions(+), 3 deletions(-)
create mode 100644 src/firewalld.xml
diff --git a/Makefile.am b/Makefile.am
index 1fb3502..83dab8b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -79,8 +79,11 @@ all-local:
install-deb: install
cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/
$(MKDIR_P) $(DESTDIR)/etc/init
+ $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services
cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
$(DESTDIR)/etc/init/kimchid.conf
+ cp -R $(top_srcdir)/src/firewalld.xml \
+ $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
deb: contrib/make-deb.sh
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
index 380584c..c0ea1f1 100644
--- a/contrib/DEBIAN/control.in
+++ b/contrib/DEBIAN/control.in
@@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
python-psutil (>= 0.6.0),
python-ethtool,
sosreport,
- python-ipaddr
+ python-ipaddr,
+ firewalld
Build-Depends:
Maintainer: Aline Manera <alinefm(a)br.ibm.com>
Description: Kimchi web server
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
index c1fc22e..2726753 100755
--- a/contrib/DEBIAN/postinst
+++ b/contrib/DEBIAN/postinst
@@ -19,3 +19,9 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start
+service firewalld status | grep "not running" >/dev/null 2>&1
+if [[ $? -eq 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
index ef90b49..22db3ce 100755
--- a/contrib/DEBIAN/postrm
+++ b/contrib/DEBIAN/postrm
@@ -26,3 +26,5 @@ case "$1" in
rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
;;
esac
+
+firewall-cmd --remove-service kimchid >/dev/null 2>&1
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 3044fc8..3bb5b1c 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd}
Requires: systemd
+Requires: firewalld
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install
%if 0%{?with_systemd}
# Install the systemd scripts
install -Dm 0644 contrib/kimchid.service.fedora
%{buildroot}%{_unitdir}/kimchid.service
+install -Dm 0640 src/firewalld.xml
%{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
@@ -87,12 +89,35 @@ start kimchid
service kimchid start
%endif
+%if 0%{?with_systemd}
+service firewalld status | grep "active (running)" >/dev/null 2>&1
+if [[ $? -ne 0 ]]; then
+ service firewalld start >/dev/null 2>&1
+fi
+# Add firewalld rules to open 8000 and 8001 port
+firewall-cmd --reload >/dev/null 2>&1
+firewall-cmd --add-service kimchid >/dev/null 2>&1
+%else
+# Add default iptable rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
+%endif
+
%preun
+
if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
/bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
+ %if 0%{?with_systemd}
+ firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
+ %else
+ iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
+ iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
+ %endif
fi
+
exit 0
@@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd}
%{_unitdir}/kimchid.service
+%{_prefix}/lib/firewalld/services/kimchid.xml
%endif
%if 0%{?rhel} == 6
/etc/init/kimchid.conf
diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
index 190b2be..be5172d 100644
--- a/contrib/kimchi.spec.suse.in
+++ b/contrib/kimchi.spec.suse.in
@@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit
%{buildroot}%{_initrddir}/kimchid
%post
service kimchid start
chkconfig kimchid on
-
+# Add iptables rules to open 8000 and 8001 port
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
%preun
service kimchid stop
-
+# Remove iptables rules to open 8000 and 8001 port
+iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
+service iptables save >/dev/null 2>&1
%clean
rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d29e28..7514870 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \
kimchi.conf.in \
+ firewalld.xml \
$(NULL)
bin_SCRIPTS = kimchid
diff --git a/src/firewalld.xml b/src/firewalld.xml
new file mode 100644
index 0000000..7472e20
--- /dev/null
+++ b/src/firewalld.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>kimchid</short>
+ <description>Kimchid is a daemon service for kimchi which is a HTML5 based
management tool for KVM. It is designed to make it as easy as possible to get started with
KVM and create your first guest.</description>
+ <port protocol="tcp" port="8000"/>
+ <port protocol="tcp" port="8001"/>
+</service>
1:44 a.m.
New subject: [PATCH V7 1/1] spec: Open 8000 and 8001 port by default
? 2014?01?07? 01:31, Aline Manera ??:
*
**opensuse-vm*:~/kimchi # rpm -ivh
/root/kimchi/rpm/RPMS/x86_64/kimchi-1.1.0-51.git831ea68.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:kimchi-1.1.0-51.git831ea68 ################################# [100%]
warning: %post(kimchi-1.1.0-51.git831ea68.x86_64) scriptlet failed,
exit status 1
While running all command from post section manually I got:
opensuse-vm:~/kimchi # service iptables save
service: no such service iptables
In opensuse you need to use /sbin/SuSEfirewall2
hello Aline
thanks for your testing and comments
I am not quite familiar with open suse or environment ,
so I have not so much confident with the changes for suse.
I'd like to remove changes for suse from this patch, and
Could you please merge my patch and I will send a following separate
patch to support suse
later ?
will send a new version to remove this change for suse.
thanks Eli
On 01/06/2014 04:10 AM, taget(a)linux.vnet.ibm.com wrote:
> From: Eli Qiao<taget(a)linux.vnet.ibm.com>
>
> Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
> Add static rules in iptables to on RHEL6.
>
> Signed-off-by: Eli Qiao<taget(a)linux.vnet.ibm.com>
> ---
> Makefile.am | 3 +++
> contrib/DEBIAN/control.in | 3 ++-
> contrib/DEBIAN/postinst | 6 ++++++
> contrib/DEBIAN/postrm | 2 ++
> contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
> contrib/kimchi.spec.suse.in | 10 ++++++++--
> src/Makefile.am | 1 +
> src/firewalld.xml | 7 +++++++
> 8 files changed, 55 insertions(+), 3 deletions(-)
> create mode 100644 src/firewalld.xml
>
> diff --git a/Makefile.am b/Makefile.am
> index 1fb3502..83dab8b 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -79,8 +79,11 @@ all-local:
> install-deb: install
> cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/
> $(MKDIR_P) $(DESTDIR)/etc/init
> + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services
> cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
> $(DESTDIR)/etc/init/kimchid.conf
> + cp -R $(top_srcdir)/src/firewalld.xml \
> + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
>
>
> deb: contrib/make-deb.sh
> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
> index 380584c..c0ea1f1 100644
> --- a/contrib/DEBIAN/control.in
> +++ b/contrib/DEBIAN/control.in
> @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
> python-psutil (>= 0.6.0),
> python-ethtool,
> sosreport,
> - python-ipaddr
> + python-ipaddr,
> + firewalld
> Build-Depends:
> Maintainer: Aline Manera<alinefm(a)br.ibm.com>
> Description: Kimchi web server
> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
> index c1fc22e..2726753 100755
> --- a/contrib/DEBIAN/postinst
> +++ b/contrib/DEBIAN/postinst
> @@ -19,3 +19,9 @@
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
>
> service kimchid start
> +service firewalld status | grep "not running" >/dev/null 2>&1
> +if [[ $? -eq 0 ]]; then
> + service firewalld start >/dev/null 2>&1
> +fi
> +firewall-cmd --reload >/dev/null 2>&1
> +firewall-cmd --add-service kimchid >/dev/null 2>&1
> diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
> index ef90b49..22db3ce 100755
> --- a/contrib/DEBIAN/postrm
> +++ b/contrib/DEBIAN/postrm
> @@ -26,3 +26,5 @@ case "$1" in
> rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
> ;;
> esac
> +
> +firewall-cmd --remove-service kimchid >/dev/null 2>&1
> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
> index 3044fc8..3bb5b1c 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
>
> %if 0%{?with_systemd}
> Requires: systemd
> +Requires: firewalld
> Requires(post): systemd
> Requires(preun): systemd
> Requires(postun): systemd
> @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install
> %if 0%{?with_systemd}
> # Install the systemd scripts
> install -Dm 0644 contrib/kimchid.service.fedora
%{buildroot}%{_unitdir}/kimchid.service
> +install -Dm 0640 src/firewalld.xml
%{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
> %endif
>
> %if 0%{?rhel} == 6
> @@ -87,12 +89,35 @@ start kimchid
> service kimchid start
> %endif
>
> +%if 0%{?with_systemd}
> +service firewalld status | grep "active (running)" >/dev/null
2>&1
> +if [[ $? -ne 0 ]]; then
> + service firewalld start >/dev/null 2>&1
> +fi
> +# Add firewalld rules to open 8000 and 8001 port
> +firewall-cmd --reload >/dev/null 2>&1
> +firewall-cmd --add-service kimchid >/dev/null 2>&1
> +%else
> +# Add default iptable rules to open 8000 and 8001 port
> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
> +service iptables save >/dev/null 2>&1
> +%endif
> +
> %preun
> +
> if [ $1 -eq 0 ] ; then
> # Package removal, not upgrade
> /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1
|| :
> /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
> + %if 0%{?with_systemd}
> + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
> + %else
> + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
> + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
> + %endif
> fi
> +
> exit 0
>
>
> @@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
>
> %if 0%{?with_systemd}
> %{_unitdir}/kimchid.service
> +%{_prefix}/lib/firewalld/services/kimchid.xml
> %endif
> %if 0%{?rhel} == 6
> /etc/init/kimchid.conf
> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
> index 190b2be..be5172d 100644
> --- a/contrib/kimchi.spec.suse.in
> +++ b/contrib/kimchi.spec.suse.in
> @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit
%{buildroot}%{_initrddir}/kimchid
> %post
> service kimchid start
> chkconfig kimchid on
> -
> +# Add iptables rules to open 8000 and 8001 port
> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
> +service iptables save >/dev/null 2>&1
> %preun
> service kimchid stop
> -
> +# Remove iptables rules to open 8000 and 8001 port
> +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
> +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
> +service iptables save >/dev/null 2>&1
> %clean
> rm -rf $RPM_BUILD_ROOT
>
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 7d29e28..7514870 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
>
> EXTRA_DIST = kimchid.in \
> kimchi.conf.in \
> + firewalld.xml \
> $(NULL)
>
> bin_SCRIPTS = kimchid
> diff --git a/src/firewalld.xml b/src/firewalld.xml
> new file mode 100644
> index 0000000..7472e20
> --- /dev/null
> +++ b/src/firewalld.xml
> @@ -0,0 +1,7 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<service>
> + <short>kimchid</short>
> + <description>Kimchid is a daemon service for kimchi which is a HTML5 based
management tool for KVM. It is designed to make it as easy as possible to get started with
KVM and create your first guest.</description>
> + <port protocol="tcp" port="8000"/>
> + <port protocol="tcp" port="8001"/>
> +</service>
--
Thanks Eli (Li Yong) Qiao (qiaoly(a)cn.ibm.com)
CSTL-KVM Frobisher/RHEV-H
1:06 p.m.
New subject: [PATCH V7 1/1] spec: Open 8000 and 8001 port by default
On 01/07/2014 05:44 AM, Eli Qiao wrote:
? 2014?01?07? 01:31, Aline Manera ??:
> *
> **opensuse-vm*:~/kimchi # rpm -ivh
> /root/kimchi/rpm/RPMS/x86_64/kimchi-1.1.0-51.git831ea68.x86_64.rpm
> Preparing... ################################# [100%]
> Updating / installing...
> 1:kimchi-1.1.0-51.git831ea68 ################################# [100%]
> warning: %post(kimchi-1.1.0-51.git831ea68.x86_64) scriptlet failed,
> exit status 1
>
> While running all command from post section manually I got:
>
> opensuse-vm:~/kimchi # service iptables save
> service: no such service iptables
>
> In opensuse you need to use /sbin/SuSEfirewall2
>
hello Aline
thanks for your testing and comments
I am not quite familiar with open suse or environment ,
so I have not so much confident with the changes for suse.
I'd like to remove changes for suse from this patch, and
Could you please merge my patch and I will send a following separate
patch to support suse
later ?
will send a new version to remove this change for suse.
No problem. Just don't forget to send the SUSE code
thanks Eli
>
> On 01/06/2014 04:10 AM, taget(a)linux.vnet.ibm.com wrote:
>> From: Eli Qiao<taget(a)linux.vnet.ibm.com>
>>
>> Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
>> Add static rules in iptables to on RHEL6.
>>
>> Signed-off-by: Eli Qiao<taget(a)linux.vnet.ibm.com>
>> ---
>> Makefile.am | 3 +++
>> contrib/DEBIAN/control.in | 3 ++-
>> contrib/DEBIAN/postinst | 6 ++++++
>> contrib/DEBIAN/postrm | 2 ++
>> contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
>> contrib/kimchi.spec.suse.in | 10 ++++++++--
>> src/Makefile.am | 1 +
>> src/firewalld.xml | 7 +++++++
>> 8 files changed, 55 insertions(+), 3 deletions(-)
>> create mode 100644 src/firewalld.xml
>>
>> diff --git a/Makefile.am b/Makefile.am
>> index 1fb3502..83dab8b 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -79,8 +79,11 @@ all-local:
>> install-deb: install
>> cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/
>> $(MKDIR_P) $(DESTDIR)/etc/init
>> + $(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services
>> cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
>> $(DESTDIR)/etc/init/kimchid.conf
>> + cp -R $(top_srcdir)/src/firewalld.xml \
>> + $(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
>>
>>
>> deb: contrib/make-deb.sh
>> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
>> index 380584c..c0ea1f1 100644
>> --- a/contrib/DEBIAN/control.in
>> +++ b/contrib/DEBIAN/control.in
>> @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
>> python-psutil (>= 0.6.0),
>> python-ethtool,
>> sosreport,
>> - python-ipaddr
>> + python-ipaddr,
>> + firewalld
>> Build-Depends:
>> Maintainer: Aline Manera<alinefm(a)br.ibm.com>
>> Description: Kimchi web server
>> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
>> index c1fc22e..2726753 100755
>> --- a/contrib/DEBIAN/postinst
>> +++ b/contrib/DEBIAN/postinst
>> @@ -19,3 +19,9 @@
>> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA
>>
>> service kimchid start
>> +service firewalld status | grep "not running" >/dev/null
2>&1
>> +if [[ $? -eq 0 ]]; then
>> + service firewalld start >/dev/null 2>&1
>> +fi
>> +firewall-cmd --reload >/dev/null 2>&1
>> +firewall-cmd --add-service kimchid >/dev/null 2>&1
>> diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
>> index ef90b49..22db3ce 100755
>> --- a/contrib/DEBIAN/postrm
>> +++ b/contrib/DEBIAN/postrm
>> @@ -26,3 +26,5 @@ case "$1" in
>> rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
>> ;;
>> esac
>> +
>> +firewall-cmd --remove-service kimchid >/dev/null 2>&1
>> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
>> index 3044fc8..3bb5b1c 100644
>> --- a/contrib/kimchi.spec.fedora.in
>> +++ b/contrib/kimchi.spec.fedora.in
>> @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
>>
>> %if 0%{?with_systemd}
>> Requires: systemd
>> +Requires: firewalld
>> Requires(post): systemd
>> Requires(preun): systemd
>> Requires(postun): systemd
>> @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install
>> %if 0%{?with_systemd}
>> # Install the systemd scripts
>> install -Dm 0644 contrib/kimchid.service.fedora
%{buildroot}%{_unitdir}/kimchid.service
>> +install -Dm 0640 src/firewalld.xml
%{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
>> %endif
>>
>> %if 0%{?rhel} == 6
>> @@ -87,12 +89,35 @@ start kimchid
>> service kimchid start
>> %endif
>>
>> +%if 0%{?with_systemd}
>> +service firewalld status | grep "active (running)" >/dev/null
2>&1
>> +if [[ $? -ne 0 ]]; then
>> + service firewalld start >/dev/null 2>&1
>> +fi
>> +# Add firewalld rules to open 8000 and 8001 port
>> +firewall-cmd --reload >/dev/null 2>&1
>> +firewall-cmd --add-service kimchid >/dev/null 2>&1
>> +%else
>> +# Add default iptable rules to open 8000 and 8001 port
>> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save >/dev/null 2>&1
>> +%endif
>> +
>> %preun
>> +
>> if [ $1 -eq 0 ] ; then
>> # Package removal, not upgrade
>> /bin/systemctl --no-reload disable kimchid.service > /dev/null
2>&1 || :
>> /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
>> + %if 0%{?with_systemd}
>> + firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
>> + %else
>> + iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
>> + iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
>> + %endif
>> fi
>> +
>> exit 0
>>
>>
>> @@ -155,6 +180,7 @@ rm -rf $RPM_BUILD_ROOT
>>
>> %if 0%{?with_systemd}
>> %{_unitdir}/kimchid.service
>> +%{_prefix}/lib/firewalld/services/kimchid.xml
>> %endif
>> %if 0%{?rhel} == 6
>> /etc/init/kimchid.conf
>> diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
>> index 190b2be..be5172d 100644
>> --- a/contrib/kimchi.spec.suse.in
>> +++ b/contrib/kimchi.spec.suse.in
>> @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit
%{buildroot}%{_initrddir}/kimchid
>> %post
>> service kimchid start
>> chkconfig kimchid on
>> -
>> +# Add iptables rules to open 8000 and 8001 port
>> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save >/dev/null 2>&1
>> %preun
>> service kimchid stop
>> -
>> +# Remove iptables rules to open 8000 and 8001 port
>> +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT
>> +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT
>> +service iptables save >/dev/null 2>&1
>> %clean
>> rm -rf $RPM_BUILD_ROOT
>>
>> diff --git a/src/Makefile.am b/src/Makefile.am
>> index 7d29e28..7514870 100644
>> --- a/src/Makefile.am
>> +++ b/src/Makefile.am
>> @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
>>
>> EXTRA_DIST = kimchid.in \
>> kimchi.conf.in \
>> + firewalld.xml \
>> $(NULL)
>>
>> bin_SCRIPTS = kimchid
>> diff --git a/src/firewalld.xml b/src/firewalld.xml
>> new file mode 100644
>> index 0000000..7472e20
>> --- /dev/null
>> +++ b/src/firewalld.xml
>> @@ -0,0 +1,7 @@
>> +<?xml version="1.0" encoding="utf-8"?>
>> +<service>
>> + <short>kimchid</short>
>> + <description>Kimchid is a daemon service for kimchi which is a HTML5
based management tool for KVM. It is designed to make it as easy as possible to get
started with KVM and create your first guest.</description>
>> + <port protocol="tcp" port="8000"/>
>> + <port protocol="tcp" port="8001"/>
>> +</service>
>
--
Thanks Eli (Li Yong) Qiao (qiaoly(a)cn.ibm.com)
CSTL-KVM Frobisher/RHEV-H
3977
days inactive
3978
days old
5 comments
4 participants
participants (4)
-
Aline Manera -
Eli Qiao -
Shu Ming -
taget@linux.vnet.ibm.com