[Kimchi-devel] [PATCH] Issue #456: Firewall ports are not open after firewall restart

Ramon Medeiros ramonn at linux.vnet.ibm.com
Mon Jan 12 15:55:55 UTC 2015 

Sorry for missing the --anottate.

This is the v3.

Changes:

v3:
Remove postint file from debian
Append opensuse firewall commands
Change README instructions

v2:

Correct firewalld argument "--permanent"
Extend changes to debian



On 01/12/2015 01:49 PM, Ramon Medeiros wrote:
> Instead of setup firewall and selinux configuration, kimchi will just
> add the files needed by this setup and describe to the user how security
> setup will be done in README.
>
> Signed-off-by: Ramon Medeiros <ramonn at linux.vnet.ibm.com>
> ---
>   contrib/DEBIAN/postinst       | 28 ----------------------------
>   contrib/DEBIAN/postrm         |  7 -------
>   contrib/kimchi.spec.fedora.in | 26 --------------------------
>   docs/README.md                | 24 ++++++++++++++++++++++++
>   4 files changed, 24 insertions(+), 61 deletions(-)
>   delete mode 100755 contrib/DEBIAN/postinst
>
> diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
> deleted file mode 100755
> index 5bca009..0000000
> --- a/contrib/DEBIAN/postinst
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -#!/bin/sh -e
> -#
> -# Project Kimchi
> -#
> -# Copyright IBM, Corp. 2013
> -#
> -# This library is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU Lesser General Public
> -# License as published by the Free Software Foundation; either
> -# version 2.1 of the License, or (at your option) any later version.
> -#
> -# This library is distributed in the hope that it will be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> -# Lesser General Public License for more details.
> -#
> -# You should have received a copy of the GNU Lesser General Public
> -# License along with this library; if not, write to the Free Software
> -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
> -
> -set +e
> -service firewalld status >/dev/null 2>&1
> -if [ $? -ne 0 ]; then
> -    service firewalld start >/dev/null 2>&1
> -fi
> -firewall-cmd --reload  >/dev/null 2>&1
> -firewall-cmd --add-service kimchid  >/dev/null 2>&1
> -set -e
> diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
> index 9f1d895..ef90b49 100755
> --- a/contrib/DEBIAN/postrm
> +++ b/contrib/DEBIAN/postrm
> @@ -26,10 +26,3 @@ case "$1" in
>           rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
>       ;;
>   esac
> -
> -set +e
> -service firewalld status >/dev/null 2>&1
> -if [ $? -eq 0 ]; then
> -    firewall-cmd --remove-service kimchid >/dev/null 2>&1
> -fi
> -set -e
> diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
> index e75018e..92d3e49 100644
> --- a/contrib/kimchi.spec.fedora.in
> +++ b/contrib/kimchi.spec.fedora.in
> @@ -113,23 +113,6 @@ if [ $1 -eq 1 ] ; then
>       /bin/systemctl daemon-reload >/dev/null 2>&1 || :
>   fi
>
> -%if 0%{?with_systemd}
> -service firewalld status >/dev/null 2>&1
> -if [ $? -ne 0 ]; then
> -    service firewalld start >/dev/null 2>&1
> -fi
> -# Add firewalld rules to open 8000 and 8001 port
> -firewall-cmd --reload >/dev/null 2>&1
> -firewall-cmd --add-service kimchid >/dev/null 2>&1
> -%else
> -# Add default iptable rules to open 8000 and 8001 port
> -iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
> -iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
> -iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
> -service iptables save >/dev/null 2>&1
> -%endif
> -# Add SELinux rules to "open" Kimchi ports
> -semanage permissive -a httpd_t
>
>   %preun
>
> @@ -137,13 +120,6 @@ if [ $1 -eq 0 ] ; then
>       # Package removal, not upgrade
>       /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
>       /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
> -    %if 0%{?with_systemd}
> -        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
> -    %else
> -        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
> -        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
> -        iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
> -    %endif
>   fi
>
>   exit 0
> @@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
>       /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
>   fi
>   exit 0
> -# Rollback SELinux rules
> -semanage permissive -d httpd_t
>
>   %clean
>   rm -rf $RPM_BUILD_ROOT
> diff --git a/docs/README.md b/docs/README.md
> index 823c856..cb96653 100644
> --- a/docs/README.md
> +++ b/docs/README.md
> @@ -142,6 +142,30 @@ Run
>
>       $ sudo kimchid --host=0.0.0.0
>
> +If you cannot access Kimchi, take a look at these 2 points:
> +
> +1. Firewall
> +Kimchi uses by default the ports 8000, 8001 and 64667. If you are using firewalld, there is a easy way to add the rules on firewalld systems (Fedora and Debian):
> +
> +sudo firewall-cmd --add-port 8000 --permanent
> +sudo firewall-cmd --add-port 8001 --permanent
> +sudo firewall-cmd --add-port 64667 --permanent
> +
> +On OpenSuSE:
> +
> +sudo /sbin/SuSEfirewall2 open EXT TCP 8000
> +sudo /sbin/SuSEfirewall2 open EXT TCP 8001
> +sudo /sbin/SuSEfirewall2 open EXT TCP 64667
> +
> +Don't forget to correctly save the rules.
> +
> +
> +2. SELinux
> +
> +Allow httpd_t context for Kimchi web server:
> +
> +semanage permissive -a httpd_t
> +
>
>   Test
>   ----


-- 
Ramon Nunes Medeiros
Kimchi Developer
Software Engineer - Linux Technology Center Brazil
IBM Systems & Technology Group
Phone : +55 19 2132 7878
ramonn at br.ibm.com

More information about the Kimchi-devel mailing list