[Kimchi-devel] [PATCH] Issue #456: Firewall ports are not open after firewall restart v2

Aline Manera alinefm at linux.vnet.ibm.com
Fri Jan 9 13:24:47 UTC 2015 

On 08/01/2015 17:34, Ramon Medeiros wrote:
> Changes
>
> v2:
>
> Correct firewalld argument "--permanent"
> Extend changes to debian
>
>
>
> Instead of setup firewall and selinux configuration, kimchi will just
> add the files needed by this setup and describe to the user how security
> setup will be done in README.
>
> Signed-off-by: Ramon Medeiros <ramonn at linux.vnet.ibm.com>
> ---
>   contrib/DEBIAN/postinst       |  9 ---------
>   contrib/DEBIAN/postrm         |  7 -------
>   contrib/kimchi.spec.fedora.in | 26 --------------------------
>   docs/README.md                | 25 +++++++++++++++++++++++++
>   4 files changed, 25 insertions(+), 42 deletions(-)
>
> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
> index 5bca009..5a300bc 100755
> --- a/contrib/DEBIAN/postinst
> +++ b/contrib/DEBIAN/postinst
> @@ -17,12 +17,3 @@
>   # You should have received a copy of the GNU Lesser General Public
>   # License along with this library; if not, write to the Free Software
>   # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
> -
> -set +e
> -service firewalld status >/dev/null 2>&1
> -if [ $? -ne 0 ]; then
> -    service firewalld start >/dev/null 2>&1
> -fi
> -firewall-cmd --reload  >/dev/null 2>&1
> -firewall-cmd --add-service kimchid  >/dev/null 2>&1
> -set -e

Seems this file is empty now. So we can remove it.

> diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
> index 9f1d895..ef90b49 100755
> --- a/contrib/DEBIAN/postrm
> +++ b/contrib/DEBIAN/postrm
> @@ -26,10 +26,3 @@ case "$1" in
>           rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
>       ;;
>   esac
> -
> -set +e
> -service firewalld status >/dev/null 2>&1
> -if [ $? -eq 0 ]; then
> -    firewall-cmd --remove-service kimchid >/dev/null 2>&1
> -fi
> -set -e
> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
> index e75018e..92d3e49 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then
>       /bin/systemctl daemon-reload >/dev/null 2>&1 || :
>   fi
>
> -%if 0%{?with_systemd}
> -service firewalld status >/dev/null 2>&1
> -if [ $? -ne 0 ]; then
> -    service firewalld start >/dev/null 2>&1
> -fi
> -# Add firewalld rules to open 8000 and 8001 port
> -firewall-cmd --reload >/dev/null 2>&1
> -firewall-cmd --add-service kimchid >/dev/null 2>&1
> -%else
> -# Add default iptable rules to open 8000 and 8001 port
> -iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
> -iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
> -iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
> -service iptables save >/dev/null 2>&1
> -%endif
> -# Add SELinux rules to "open" Kimchi ports
> -semanage permissive -a httpd_t
>
>   %preun
>
> @@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then
>       # Package removal, not upgrade
>       /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
>       /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
> -    %if 0%{?with_systemd}
> -        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
> -    %else
> -        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
> -        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
> -        iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
> -    %endif
>   fi
>
>   exit 0
> @@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
>       /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
>   fi
>   exit 0
> -# Rollback SELinux rules
> -semanage permissive -d httpd_t
>
>   %clean
>   rm -rf $RPM_BUILD_ROOT
> diff --git a/docs/README.md b/docs/README.md
> index 823c856..c68f625 100644
> --- a/docs/README.md
> +++ b/docs/README.md
> @@ -142,6 +142,30 @@ Run
>
>       $ sudo kimchid --host=0.0.0.0
>
> +If you cannot access Kimchi, take a look at this 2 points:

s/this/these

> +
> +1. Firewall
> +Kimchi uses ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules:

Kimchi uses *by default* the ports 8000, 80001 and 64667.

For system using firewalls, do:

> +
> +firewall-cmd --reload
> +firewall-cmd --add-service kimchid --permanent
> +
I think "firewall-cmd --reload" should be run after adding the new rules.

Also I think "firewall-cmd --add-service kimchid --permanent " will only 
work if the user has Kimchi properly installed on system.
So I suggest to guide user to open port by port

sudo firewall-cmd --add-port 8000 --permanent
sudo firewall-cmd --add-port 8001 --permanent
sudo firewall-cmd --add-port 64667 --permanent


> +If you want to add directly to iptables:
> +

For system using iptables, do:

> +iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
> +iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
> +iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
> +service iptables save

Add "sudo"  to the commands above

We still need to guide openSUSE users to open the firewall ports.

For openSUSE systems, do:

sudo /sbin/SuSEfirewall2 open EXT TCP 8000
sudo /sbin/SuSEfirewall2 open EXT TCP 8001
sudo /sbin/SuSEfirewall2 open EXT TCP 64667

I am not sure those are the right commands. Please, confirm.
> +
> +Don't forget to correctly save the rules.
> +
> +
> +2. SELinux
> +
> +Allow httpd_t context for Kimchi web server:
> +
> +semanage permissive -a httpd_t
> +
>
>   Test
>   ----
> @@ -197,6 +221,7 @@ is configured as:
>       (2) Chown of export path as libvirt user, group as kvm group,
>           In order to make sure all mapped user can get into the mount point.
>
> +
>   Participating
>   -------------
>

More information about the Kimchi-devel mailing list