[PATCH V3] spec: Open 8000 and 8001 port by default
From: Eli Qiao <taget@linux.vnet.ibm.com> V3 - V2 changes: 1.Rename kimchid.xml to firewalld.xml (Mark) 2.Remove firewalld from serivce require (Mark) 3.Fix typo V2 - V1 changes: 1.Add firewalld sevice configure file kimchid.xml to help open iptables port (Mark) 2.Add Ubuntu iptables rule (Royce) Add iptable rules to open 8000 and 8001 port. 1. For fedora, ubuntu and RHEL7, add a firewalld.xml to use firewalld daemon to open port 8000 and 8001. 2. For suse and RHEL6.x, add iptables static rules to open port 8000 and 8001. Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com> --- contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 2 ++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 19 +++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 7 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera <alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..b27205c 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,5 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA service kimchid start +/usr/bin/firewall-cmd --reload +/usr/bin/firewall-cmd --add-service kimchid diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..3c70584 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +/usr/bin/firewall-cmd --remove-service kimchid diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 14ec359..57baead 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2 %if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 @@ -83,16 +85,32 @@ fi %if 0%{?rhel} == 6 start kimchid +# Add defult iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save %else service kimchid start +# Add firewalld rules to open 8000 and 8001 port +/usr/bin/firewall-cmd --reload +/usr/bin/firewall-cmd --add-service kimchid %endif %preun +%if 0%{?rhel} == 6 +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save +%else +/usr/bin/firewall-cmd --remove-service kimchid +%endif + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : fi + exit 0 @@ -153,6 +171,7 @@ rm -rf $RPM_BUILD_ROOT %if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 9051284..dde9dae 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save %clean rm -rf $RPM_BUILD_ROOT diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL) bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..dee4599 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi whichi is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description> + <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service> -- 1.7.1
On 12/24/2013 06:10 AM, taget@linux.vnet.ibm.com wrote:
From: Eli Qiao <taget@linux.vnet.ibm.com>
V3 - V2 changes:
1.Rename kimchid.xml to firewalld.xml (Mark) 2.Remove firewalld from serivce require (Mark) 3.Fix typo
V2 - V1 changes:
1.Add firewalld sevice configure file kimchid.xml to help open iptables port (Mark) 2.Add Ubuntu iptables rule (Royce)
Add iptable rules to open 8000 and 8001 port. 1. For fedora, ubuntu and RHEL7, add a firewalld.xml to use firewalld daemon to open port 8000 and 8001. 2. For suse and RHEL6.x, add iptables static rules to open port 8000 and 8001.
Signed-off-by: Eli Qiao <taget@linux.vnet.ibm.com> --- contrib/DEBIAN/control.in | 3 ++- contrib/DEBIAN/postinst | 2 ++ contrib/DEBIAN/postrm | 2 ++ contrib/kimchi.spec.fedora.in | 19 +++++++++++++++++++ contrib/kimchi.spec.suse.in | 10 ++++++++-- src/Makefile.am | 1 + src/firewalld.xml | 7 +++++++ 7 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 src/firewalld.xml
diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in index 380584c..c0ea1f1 100644 --- a/contrib/DEBIAN/control.in +++ b/contrib/DEBIAN/control.in @@ -17,7 +17,8 @@ Depends: python-cherrypy3 (>= 3.2.0), python-psutil (>= 0.6.0), python-ethtool, sosreport, - python-ipaddr + python-ipaddr, + firewalld Build-Depends: Maintainer: Aline Manera <alinefm@br.ibm.com> Description: Kimchi web server diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst index c1fc22e..b27205c 100755 --- a/contrib/DEBIAN/postinst +++ b/contrib/DEBIAN/postinst @@ -19,3 +19,5 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
service kimchid start +/usr/bin/firewall-cmd --reload +/usr/bin/firewall-cmd --add-service kimchid diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm index ef90b49..3c70584 100755 --- a/contrib/DEBIAN/postrm +++ b/contrib/DEBIAN/postrm @@ -26,3 +26,5 @@ case "$1" in rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/ ;; esac + +/usr/bin/firewall-cmd --remove-service kimchid diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in index 14ec359..57baead 100644 --- a/contrib/kimchi.spec.fedora.in +++ b/contrib/kimchi.spec.fedora.in @@ -34,6 +34,7 @@ BuildRequires: python-unittest2
%if 0%{?with_systemd} Requires: systemd +Requires: firewalld Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -63,6 +64,7 @@ make DESTDIR=%{buildroot} install %if 0%{?with_systemd} # Install the systemd scripts install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml %endif
%if 0%{?rhel} == 6 @@ -83,16 +85,32 @@ fi
%if 0%{?rhel} == 6 start kimchid +# Add defult iptable rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save %else service kimchid start +# Add firewalld rules to open 8000 and 8001 port +/usr/bin/firewall-cmd --reload +/usr/bin/firewall-cmd --add-service kimchid %endif
%preun +%if 0%{?rhel} == 6 +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save +%else +/usr/bin/firewall-cmd --remove-service kimchid +%endif + if [ $1 -eq 0 ] ; then # Package removal, not upgrade /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || : /bin/systemctl stop kimchid.service > /dev/null 2>&1 || : fi + exit 0
@@ -153,6 +171,7 @@ rm -rf $RPM_BUILD_ROOT
%if 0%{?with_systemd} %{_unitdir}/kimchid.service +%{_prefix}/lib/firewalld/services/kimchid.xml %endif %if 0%{?rhel} == 6 /etc/init/kimchid.conf diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in index 9051284..dde9dae 100644 --- a/contrib/kimchi.spec.suse.in +++ b/contrib/kimchi.spec.suse.in @@ -46,10 +46,16 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid %post service kimchid start chkconfig kimchid on - +# Add iptables rules to open 8000 and 8001 port +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save %preun service kimchid stop - +# Remove iptables rules to open 8000 and 8001 port +iptables -D INPUT -p tcp --dport 8000 -j ACCEPT +iptables -D INPUT -p tcp --dport 8001 -j ACCEPT +service iptables save %clean rm -rf $RPM_BUILD_ROOT
diff --git a/src/Makefile.am b/src/Makefile.am index 7d29e28..7514870 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
EXTRA_DIST = kimchid.in \ kimchi.conf.in \ + firewalld.xml \ $(NULL)
bin_SCRIPTS = kimchid diff --git a/src/firewalld.xml b/src/firewalld.xml new file mode 100644 index 0000000..dee4599 --- /dev/null +++ b/src/firewalld.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi whichi is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description>
Typo: whichi / which Also, please, send the patch for "make install" or we can forget this piece. If it is going to take a while, you can create a ticket in github, so we can track progress :)
+ <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service>
+ <short>kimchid</short> + <description>Kimchid is a daemon service for kimchi whichi is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description>
Typo: whichi / which
Also, please, send the patch for "make install" or we can forget this piece. If it is going to take a while, you can create a ticket in github, so we can track progress :)
hi Rodrigo thanks for your kindly review. I will fix the typo. And I don't think there is any reason to add iptables rules when "make install": 1. make install is only used by developer, so they should be familiar with how to add a rule to open firewall port. 2. if some one run "make install" many times without "make uninstall", there will be a issue, the rules will get added many times in iptables rules, which is too bad. please let me know if you have any doubt. thanks Eli
+ <port protocol="tcp" port="8000"/> + <port protocol="tcp" port="8001"/> +</service>
-- Thanks Eli (Li Yong) Qiao (qiaoly@cn.ibm.com) CSTL-KVM Frobisher/RHEV-H
participants (4)
-
Eli Qiao -
Ramon Medeiros -
Rodrigo Trujillo -
taget@linux.vnet.ibm.com