[Kimchi-devel] [PATCH V9 1/1] spec: Open 8000 and 8001 port by default

Eli Qiao taget at linux.vnet.ibm.com
Mon Jan 13 02:25:22 UTC 2014 

ping Aline.

> From: Eli Qiao <taget at linux.vnet.ibm.com>
>
> Use firewalld to manager firewall rules on RHEL7, fedora and ubuntu.
> Add static rules in iptables to on RHEL6.
>
> Signed-off-by: Eli Qiao <taget at linux.vnet.ibm.com>
> ---
>  Makefile.am                   |  3 +++
>  contrib/DEBIAN/control.in     |  3 ++-
>  contrib/DEBIAN/postinst       |  8 ++++++++
>  contrib/DEBIAN/postrm         |  7 +++++++
>  contrib/kimchi.spec.fedora.in | 26 ++++++++++++++++++++++++++
>  src/Makefile.am               |  1 +
>  src/firewalld.xml             |  7 +++++++
>  7 files changed, 54 insertions(+), 1 deletion(-)
>  create mode 100644 src/firewalld.xml
>
> diff --git a/Makefile.am b/Makefile.am
> index 04ad696..13cbe13 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -85,8 +85,11 @@ all-local:
>  install-deb: install
>  	cp -R $(top_srcdir)/contrib/DEBIAN $(DESTDIR)/
>  	$(MKDIR_P) $(DESTDIR)/etc/init
> +	$(MKDIR_P) $(DESTDIR)/usr/lib/firewalld/services
>  	cp -R $(top_srcdir)/contrib/kimchid-upstart.conf.debian \
>  		$(DESTDIR)/etc/init/kimchid.conf
> +	cp -R $(top_srcdir)/src/firewalld.xml \
> +		$(DESTDIR)/usr/lib/firewalld/services/kimchid.xml
>
>
>  deb: contrib/make-deb.sh
> diff --git a/contrib/DEBIAN/control.in b/contrib/DEBIAN/control.in
> index eecfb27..64ac2f4 100644
> --- a/contrib/DEBIAN/control.in
> +++ b/contrib/DEBIAN/control.in
> @@ -18,7 +18,8 @@ Depends: python-cherrypy3 (>= 3.2.0),
>           python-ethtool,
>           sosreport,
>           python-ipaddr,
> -         open-iscsi
> +         open-iscsi,
> +         firewalld
>  Build-Depends:
>  Maintainer: Aline Manera <alinefm at br.ibm.com>
>  Description: Kimchi web server
> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
> index c1fc22e..5f7e2ff 100755
> --- a/contrib/DEBIAN/postinst
> +++ b/contrib/DEBIAN/postinst
> @@ -19,3 +19,11 @@
>  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
>
>  service kimchid start
> +set +e
> +service firewalld status >/dev/null 2>&1
> +if [ $? -ne 0 ]; then
> +    service firewalld start >/dev/null 2>&1
> +fi
> +firewall-cmd --reload  >/dev/null 2>&1
> +firewall-cmd --add-service kimchid  >/dev/null 2>&1
> +set -e
> diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
> index ef90b49..9f1d895 100755
> --- a/contrib/DEBIAN/postrm
> +++ b/contrib/DEBIAN/postrm
> @@ -26,3 +26,10 @@ case "$1" in
>          rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
>      ;;
>  esac
> +
> +set +e
> +service firewalld status >/dev/null 2>&1
> +if [ $? -eq 0 ]; then
> +    firewall-cmd --remove-service kimchid >/dev/null 2>&1
> +fi
> +set -e
> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
> index 75435b3..24485bd 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -35,6 +35,7 @@ BuildRequires:    python-unittest2
>
>  %if 0%{?with_systemd}
>  Requires:	systemd
> +Requires:	firewalld
>  Requires(post): systemd
>  Requires(preun): systemd
>  Requires(postun): systemd
> @@ -64,6 +65,7 @@ make DESTDIR=%{buildroot} install
>  %if 0%{?with_systemd}
>  # Install the systemd scripts
>  install -Dm 0644 contrib/kimchid.service.fedora %{buildroot}%{_unitdir}/kimchid.service
> +install -Dm 0640 src/firewalld.xml %{buildroot}%{_prefix}/lib/firewalld/services/kimchid.xml
>  %endif
>
>  %if 0%{?rhel} == 6
> @@ -88,12 +90,35 @@ start kimchid
>  service kimchid start
>  %endif
>
> +%if 0%{?with_systemd}
> +service firewalld status >/dev/null 2>&1
> +if [ $? -ne 0 ]; then
> +    service firewalld start >/dev/null 2>&1
> +fi
> +# Add firewalld rules to open 8000 and 8001 port
> +firewall-cmd --reload >/dev/null 2>&1
> +firewall-cmd --add-service kimchid >/dev/null 2>&1
> +%else
> +# Add default iptable rules to open 8000 and 8001 port
> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
> +service iptables save >/dev/null 2>&1
> +%endif
> +
>  %preun
> +
>  if [ $1 -eq 0 ] ; then
>      # Package removal, not upgrade
>      /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
>      /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
> +    %if 0%{?with_systemd}
> +        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
> +    %else
> +        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
> +        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
> +    %endif
>  fi
> +
>  exit 0
>
>
> @@ -156,6 +181,7 @@ rm -rf $RPM_BUILD_ROOT
>
>  %if 0%{?with_systemd}
>  %{_unitdir}/kimchid.service
> +%{_prefix}/lib/firewalld/services/kimchid.xml
>  %endif
>  %if 0%{?rhel} == 6
>  /etc/init/kimchid.conf
> diff --git a/src/Makefile.am b/src/Makefile.am
> index 7d29e28..7514870 100644
> --- a/src/Makefile.am
> +++ b/src/Makefile.am
> @@ -24,6 +24,7 @@ SUBDIRS = kimchi distros.d
>
>  EXTRA_DIST = kimchid.in \
>  	kimchi.conf.in \
> +	firewalld.xml \
>  	$(NULL)
>
>  bin_SCRIPTS = kimchid
> diff --git a/src/firewalld.xml b/src/firewalld.xml
> new file mode 100644
> index 0000000..7472e20
> --- /dev/null
> +++ b/src/firewalld.xml
> @@ -0,0 +1,7 @@
> +<?xml version="1.0" encoding="utf-8"?>
> +<service>
> +  <short>kimchid</short>
> +  <description>Kimchid is a daemon service for kimchi which is a HTML5 based management tool for KVM. It is designed to make it as easy as possible to get started with KVM and create your first guest.</description>
> +  <port protocol="tcp" port="8000"/>
> +  <port protocol="tcp" port="8001"/>
> +</service>

-- 
Thanks Eli (Li Yong) Qiao (qiaoly at cn.ibm.com)
CSTL-KVM Frobisher/RHEV-H

More information about the Kimchi-devel mailing list