[Gluster-devel] Dynamically changing firewalld services

[Kaushal M]

Hi all,

I wanted know if there is any existing information on how to manage
dynamically changing services using firewalld. If there are none
existing, could you please let us know if the approach we're following
below is correct.

We want to provide firewalld service configuration for GlusterFS. One
of the properties of GlusterFS is that it has a set of fixed ports,
and a set of dynamic ports, which need to be opened.

We propose to ship 2 firewalld services with GlusterFS.
- glusterfs-static - This contains the list of static ports that
should be opened up. This is placed in /usr/lib/firewalld/services
- glusterfs-dynamic - This will contain the list of dynamic ports.
This will be shipped empty, and be placed in /etc/firewalld/services .
The ports in this service will be kept updated by a couple of scripts,
which hook into the glusterfs start/stop events.

The scripts, add or remove ports from the glusterfs-dyanmic.xml file,
and call `firewall-cmd --reload` to have firewalld reload
configuration. We do it this way, instead of using a dbus call because
we want the configuration to be persisted, and also applied live.

We've tested this, and this works. But we'd like to validate this
solution with you guys.

Do you see any issues with our approach? Is there anything we could do
to improve the solution.

For reference, the glusterfs bug and proposed solution are available
at [1] and [2].

Thanks.

Kaushal

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1253967
[2] http://review.gluster.org/11989

PS: Apologies if I should have posted this to the users list instead.