Sandro Bonazzola has uploaded a new change for review.
Change subject: packaging: refactored firewalld support
......................................................................
packaging: refactored firewalld support
Added one service configuration template file for each service
that should be allowed by firewalld under /etc/ovirt-engine/firewalld.
During firewalld configuration the template files will be updated
with provided ports for http and https services. Then the template will
be copied to /etc/firewalld/services and enabled for the active zones.
http, https and nfs services will override firewalld defaults.
aio service will be enabled only if the plugin is installed and
enabled.
Change-Id: If6a60e1667182f926f399e22bbfbb939e7171cb0
Signed-off-by: Sandro Bonazzola <sbona...@redhat.com>
---
M Makefile
A packaging/fedora/setup/aio.xml
M packaging/fedora/setup/basedefs.py
M packaging/fedora/setup/engine-setup.py
D packaging/fedora/setup/firewalld.ovirt.xml
A packaging/fedora/setup/http.xml
A packaging/fedora/setup/https.xml
A packaging/fedora/setup/nfs.xml
M packaging/fedora/setup/output_messages.py
M packaging/fedora/setup/plugins/all_in_one_100.py
M packaging/fedora/spec/ovirt-engine.spec.in
11 files changed, 125 insertions(+), 35 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/38/13638/1
diff --git a/Makefile b/Makefile
index 4a8ac16..0725f56 100644
--- a/Makefile
+++ b/Makefile
@@ -243,6 +243,7 @@
@install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/cron.daily
@install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/rc.d/init.d
@install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/firewalld/services
+ @install -dm 755 $(DESTDIR)$(PKG_SYSCONF_DIR)/firewalld
install_artifacts:
@echo "*** Deploying EAR to $(DESTDIR)"
@@ -269,7 +270,12 @@
# Configuration files:
install -m 644 packaging/fedora/setup/engine-config-install.properties
$(DESTDIR)$(DATA_DIR)/conf
install -m 644 packaging/fedora/setup/iptables.default
$(DESTDIR)$(DATA_DIR)/conf
- install -m 644 packaging/fedora/setup/firewalld.ovirt.xml
$(DESTDIR)$(SYSCONF_DIR)/firewalld/services/ovirt.xml
+ #FirewallD
+ install -m 644 packaging/fedora/setup/nfs.xml
$(DESTDIR)$(PKG_SYSCONF_DIR)/firewalld/nfs.xml
+ install -m 644 packaging/fedora/setup/aio.xml
$(DESTDIR)$(PKG_SYSCONF_DIR)/firewalld/aio.xml
+ install -m 644 packaging/fedora/setup/http.xml
$(DESTDIR)$(PKG_SYSCONF_DIR)/firewalld/http.xml
+ install -m 644 packaging/fedora/setup/https.xml
$(DESTDIR)$(PKG_SYSCONF_DIR)/firewalld/https.xml
+
install -m 644 packaging/fedora/setup/nfs.sysconfig
$(DESTDIR)$(DATA_DIR)/conf
install -m 644 packaging/fedora/setup/ovirt-engine-proxy.conf.in
$(DESTDIR)$(DATA_DIR)/conf
diff --git a/packaging/fedora/setup/aio.xml b/packaging/fedora/setup/aio.xml
new file mode 100644
index 0000000..b28ce38
--- /dev/null
+++ b/packaging/fedora/setup/aio.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>ovirt-aio</short>
+ <description>oVirt configured aio service</description>
+ <port protocol="tcp" port="5634-6166"/>
+ <port protocol="tcp" port="49152-49216"/>
+</service>
diff --git a/packaging/fedora/setup/basedefs.py
b/packaging/fedora/setup/basedefs.py
index 2ee1c86..36581e0 100644
--- a/packaging/fedora/setup/basedefs.py
+++ b/packaging/fedora/setup/basedefs.py
@@ -65,6 +65,9 @@
DIR_PKGS_INSTALL = "/usr/share"
DIR_ETC_EXPORTSD = "/etc/exports.d"
+DIR_FIREWALLD_TEMPLATES = '/etc/ovirt-engine/firewalld'
+DIR_FIREWALLD_SERVICES = '/etc/firewalld/services'
+
FILE_INSTALLER_LOG="engine-setup.log"
FILE_KRB_CONF="%s/deployments/configuration/krb5.conf" % DIR_ENGINE
FILE_CA_CRT_SRC="%s/ca.pem"%(DIR_OVIRT_PKI)
@@ -85,7 +88,6 @@
FILE_IPTABLES_DEFAULT="%s/ovirt-engine/conf/iptables.default" % DIR_USR_SHARE
FILE_IPTABLES_EXAMPLE="/etc/ovirt-engine/iptables.example"
FILE_IPTABLES_BACKUP="%s/ovirt-engine/backups/iptables.backup" % DIR_VAR_LIB
-FILE_FIREWALLD_SERVICE="/etc/firewalld/services/ovirt.xml"
FILE_NFS_SYSCONFIG="%s/ovirt-engine/conf/nfs.sysconfig" % DIR_USR_SHARE
FILE_NFS_BACKUP="%s/ovirt-engine/backups/nfs.backup" % DIR_VAR_LIB
FILE_ETC_EXPORTS="/etc/exports"
@@ -212,6 +214,7 @@
CONST_MAX_PSQL_CONNS= 150
CONST_SHMMAX=35554432
CONST_CONFIG_EXTRA_IPTABLES_RULES="EXTRA_IPTABLES_RULES"
+CONST_CONFIG_EXTRA_FIREWALLD_RULES="EXTRA_FIREWALLD_RULES"
CONST_INSTALL_SIZE_MB=500
CONST_DOWNLOAD_SIZE_MB=500
CONST_DB_SIZE=500
diff --git a/packaging/fedora/setup/engine-setup.py
b/packaging/fedora/setup/engine-setup.py
index 8d23f6c..329958a 100755
--- a/packaging/fedora/setup/engine-setup.py
+++ b/packaging/fedora/setup/engine-setup.py
@@ -949,12 +949,19 @@
def _configFirewall():
# Create Sample configuration files
_createIptablesConfig()
+ firewalld_services = ['http', 'https']
+ if utils.compareStrIgnoreCase(controller.CONF['CONFIG_NFS'], 'yes'):
+ firewalld_services.append('nfs')
+ if basedefs.CONST_CONFIG_EXTRA_FIREWALLD_RULES in controller.CONF:
+ firewalld_services += controller.CONF[
+ basedefs.CONST_CONFIG_EXTRA_FIREWALLD_RULES
+ ]
_createFirewalldConfig()
# Configure chosen firewall
if utils.compareStrIgnoreCase(controller.CONF["FIREWALL_MANAGER"],
"firewalld"):
- _configureFirewalld()
+ _configureFirewalld(firewalld_services)
elif utils.compareStrIgnoreCase(controller.CONF["FIREWALL_MANAGER"],
"iptables"):
_configureIptables()
@@ -974,40 +981,60 @@
)
)
if 'Firewalld' in firewalls:
+ commands = '\nfirewall-cmd --permanent --add-service '.join(
+ ['', ] + firewalld_services
+ )
+ commands += 'firewall-cmd --reload'
controller.MESSAGES.append(
- output_messages.INFO_FIREWALLD_INSTRUCTIONS
+ output_messages.INFO_FIREWALLD_INSTRUCTIONS.format(
+ template_dir=basedefs.DIR_FIREWALLD_TEMPLATES,
+ firewalld_dir=basedefs.DIR_FIREWALLD_SERVICES,
+ commands=commands
+ )
)
def _createFirewalldConfig():
logging.debug("Creating firewalld configuration")
+ services = {
+ 'http.xml': [
+ controller.CONF['HTTP_PORT'],
+ ],
+ 'https.xml': [
+ controller.CONF['HTTPS_PORT'],
+ ]
+ }
- # Open xml
- servicexml = utils.XMLConfigFileHandler(basedefs.FILE_FIREWALLD_SERVICE)
- servicexml.open()
+ for service in services:
+ # Open xml
+ servicexml = utils.XMLConfigFileHandler(
+ os.path.join(
+ basedefs.DIR_FIREWALLD_TEMPLATES,
+ service,
+ )
+ )
+ servicexml.open()
- # Remove all port entries
- servicexml.removeNodes("/service/port")
+ # Remove all port entries
+ servicexml.removeNodes("/service/port")
- # Add ports to service xml
- ports = []
- for port in [controller.CONF["HTTP_PORT"], controller.CONF["HTTPS_PORT"]]:
- ports.append({
- 'port': port,
- 'protocol': ['tcp']
- })
+ # Add ports to service xml
+ ports = []
+ for port in services[service]:
+ ports.append({
+ 'port': port,
+ 'protocol': ['tcp']
+ })
- if utils.compareStrIgnoreCase(controller.CONF["CONFIG_NFS"], "yes"):
- ports += NFS_IPTABLES_PORTS
+ for portCfg in ports:
+ for protocol in portCfg["protocol"]:
+ servicexml.addNodes("/service", "<port protocol=\"%s\"
port=\"%s\"/>" % (protocol, portCfg["port"]))
- for portCfg in ports:
- for protocol in portCfg["protocol"]:
- servicexml.addNodes("/service", "<port protocol=\"%s\"
port=\"%s\"/>" % (protocol, portCfg["port"]))
+ # Save firewalld service configuration
+ servicexml.close()
- # Save firewalld service configuration
- servicexml.close()
-def _configureFirewalld():
+def _configureFirewalld(firewalld_services):
logging.debug("configuring firewalld")
# Load firewalld module only when needed.
@@ -1018,8 +1045,22 @@
service = utils.Service("firewalld")
service.start(True)
- for zone in firewalld.getActiveZones():
- firewalld.addServiceToZone("ovirt", zone)
+
+
+ for firewalld_service in firewalld_services:
+ shutil.copy2(
+ os.path.join(
+ basedefs.DIR_FIREWALLD_TEMPLATES,
+ '%s.xml' % firewalld_service
+ ),
+ os.path.join(
+ basedefs.DIR_FIREWALLD_SERVICES,
+ '%s.xml' % firewalld_service
+ )
+ )
+
+ for zone in firewalld.getActiveZones():
+ firewalld.addServiceToZone(firewalld_service, zone)
# Restart firewalld
service = utils.Service("firewalld")
diff --git a/packaging/fedora/setup/firewalld.ovirt.xml
b/packaging/fedora/setup/firewalld.ovirt.xml
deleted file mode 100644
index 4b1e925..0000000
--- a/packaging/fedora/setup/firewalld.ovirt.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<service>
- <short>ovirt</short>
- <description>ovirt-engine-service</description>
- <port protocol="tcp" port="80"/>
- <port protocol="tcp" port="443"/>
-</service>
diff --git a/packaging/fedora/setup/http.xml b/packaging/fedora/setup/http.xml
new file mode 100644
index 0000000..1089e77
--- /dev/null
+++ b/packaging/fedora/setup/http.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>ovirt-http</short>
+ <description>oVirt configured http service</description>
+ <port protocol="tcp" port="80"/>
+</service>
diff --git a/packaging/fedora/setup/https.xml b/packaging/fedora/setup/https.xml
new file mode 100644
index 0000000..a1fb120
--- /dev/null
+++ b/packaging/fedora/setup/https.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>ovirt-https</short>
+ <description>oVirt configured https service</description>
+ <port protocol="tcp" port="443"/>
+</service>
diff --git a/packaging/fedora/setup/nfs.xml b/packaging/fedora/setup/nfs.xml
new file mode 100644
index 0000000..f075e3f
--- /dev/null
+++ b/packaging/fedora/setup/nfs.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>ovirt-nfs</short>
+ <description>oVirt configured nfs service</description>
+ <port protocol="tcp" port="111"/>
+ <port protocol="udp" port="111"/>
+ <port protocol="tcp" port="662"/>
+ <port protocol="udp" port="662"/>
+ <port protocol="tcp" port="875"/>
+ <port protocol="udp" port="875"/>
+ <port protocol="tcp" port="892"/>
+ <port protocol="udp" port="892"/>
+ <port protocol="tcp" port="2049"/>
+ <port protocol="udp" port="32769"/>
+ <port protocol="tcp" port="32803"/>
+</service>
diff --git a/packaging/fedora/setup/output_messages.py
b/packaging/fedora/setup/output_messages.py
index e5a5ccd..32463b3 100644
--- a/packaging/fedora/setup/output_messages.py
+++ b/packaging/fedora/setup/output_messages.py
@@ -87,7 +87,11 @@
#config ip tables
INFO_IPTABLES_FILE="an example of the required configuration for iptables can
be found at: %s"
-INFO_FIREWALLD_INSTRUCTIONS="In order to configure firewalld, please execute
the following command: firewall-cmd --add-service ovirt"
+INFO_FIREWALLD_INSTRUCTIONS = (
+ "In order to configure firewalld, please copy the template files from "
+ "{template_dir} to {firewalld_dir} and execute the following commands: "
+ "{commands}"
+)
# the last 2 ports are http & https entered by the user
INFO_IPTABLES_PORTS=basedefs.APP_NAME + " requires the following TCP/IP
Incoming ports to be opened on the firewall:\n\
22, %s, %s "
diff --git a/packaging/fedora/setup/plugins/all_in_one_100.py
b/packaging/fedora/setup/plugins/all_in_one_100.py
index 7c3825a..702faf1 100644
--- a/packaging/fedora/setup/plugins/all_in_one_100.py
+++ b/packaging/fedora/setup/plugins/all_in_one_100.py
@@ -229,6 +229,10 @@
'-A INPUT -p tcp -m state --state NEW -m multiport --dports
49152:49216 -j ACCEPT'
]
+ if basedefs.CONST_CONFIG_EXTRA_FIREWALLD_RULES not in controller.CONF:
+ controller.CONF[basedefs.CONST_CONFIG_EXTRA_FIREWALLD_RULES] = []
+ controller.CONF[basedefs.CONST_CONFIG_EXTRA_FIREWALLD_RULES].append('aio')
+
def waitForJbossUp():
"""
Wait for Jboss to start
diff --git a/packaging/fedora/spec/ovirt-engine.spec.in
b/packaging/fedora/spec/ovirt-engine.spec.in
index 8f29823..9658f34 100644
--- a/packaging/fedora/spec/ovirt-engine.spec.in
+++ b/packaging/fedora/spec/ovirt-engine.spec.in
@@ -580,7 +580,10 @@
%{engine_data}/scripts/dbutils
# Firewalld configuration
-%config(noreplace) %{_sysconfdir}/firewalld/services/ovirt.xml
+%dir %{engine_etc}/firewalld
+%config(noreplace) %{engine_etc}/firewalld/nfs.xml
+%config(noreplace) %{engine_etc}/firewalld/http.xml
+%config(noreplace) %{engine_etc}/firewalld/https.xml
# Man pages
%{_mandir}/man8/engine-setup.*
@@ -595,6 +598,7 @@
%files setup-plugin-allinone
%{engine_data}/scripts/plugins/all_in_one_100.py*
+%config(noreplace) %{engine_etc}/firewalld/aio.xml
%files dbscripts
--
To view, visit http://gerrit.ovirt.org/13638
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: If6a60e1667182f926f399e22bbfbb939e7171cb0
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Sandro Bonazzola <sbona...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
