[Gluster-devel] Dynamically changing firewalld services

Anand Nekkunti anekkunt at redhat.com
Tue Sep 1 09:17:05 UTC 2015 

Hi All
 From firewalld doc and my experiments , I understood that we don't have 
any option to add/remove port to/from service runtime/permanent  (this 
can double for  zone) . The only way is modifying service xml file but 
it requires firewall reload (which cause the loosing run time settings).
           Is there any way to reload firewall without loosing run time 
settings or is there any way to reload particular service.

Regards
Anand.N

On 09/01/2015 12:49 PM, Christopher Blum wrote:
> There is a function in the d-bus interface:
>
> getZoneOfInterface(s: interface) → s
>
> that will return the current zone of the interface and you can then 
> add ports to that interface.
> As far as I see it, the hooks get only executed when I start the 
> volume, right? So when I created and started the volume, but then 
> change the zone of the interface, we need to detect that (I guess it 
> would be enough to handle that on reboot) and move the ports/services 
> to the new zone.
>
> Regarding Org.fedoraproject.firewalld1.config.service - I think that 
> would need additional tests if that is really only for the persistent 
> config, or if the changes are also applied in the running config.
>
> Christopher Blum
> Associate Storage Consultant
> Global Storage Consulting, Red Hat
>
> +49 711 96 43 7009 <tel:%2B49%20711%2096%2043%207009>
>
> On Tue, Sep 1, 2015 at 8:58 AM, Kaushal M <kshlmster at gmail.com 
> <mailto:kshlmster at gmail.com>> wrote:
>
>     On Mon, Aug 31, 2015 at 5:15 PM, Kaushal M <kshlmster at gmail.com
>     <mailto:kshlmster at gmail.com>> wrote:
>     > Hi all,
>     >
>     > I wanted know if there is any existing information on how to manage
>     > dynamically changing services using firewalld. If there are none
>     > existing, could you please let us know if the approach we're
>     following
>     > below is correct.
>     >
>     > We want to provide firewalld service configuration for
>     GlusterFS. One
>     > of the properties of GlusterFS is that it has a set of fixed ports,
>     > and a set of dynamic ports, which need to be opened.
>     >
>     > We propose to ship 2 firewalld services with GlusterFS.
>     > - glusterfs-static - This contains the list of static ports that
>     > should be opened up. This is placed in /usr/lib/firewalld/services
>     > - glusterfs-dynamic - This will contain the list of dynamic ports.
>     > This will be shipped empty, and be placed in
>     /etc/firewalld/services .
>     > The ports in this service will be kept updated by a couple of
>     scripts,
>     > which hook into the glusterfs start/stop events.
>     >
>     > The scripts, add or remove ports from the glusterfs-dyanmic.xml
>     file,
>     > and call `firewall-cmd --reload` to have firewalld reload
>     > configuration. We do it this way, instead of using a dbus call
>     because
>     > we want the configuration to be persisted, and also applied live.
>     >
>     > We've tested this, and this works. But we'd like to validate this
>     > solution with you guys.
>     >
>     > Do you see any issues with our approach? Is there anything we
>     could do
>     > to improve the solution.
>     >
>     > For reference, the glusterfs bug and proposed solution are available
>     > at [1] and [2].
>     >
>     > Thanks.
>     >
>     > Kaushal
>     >
>     > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1253967
>     > [2] http://review.gluster.org/11989
>     >
>     > PS: Apologies if I should have posted this to the users list
>     instead.
>
>     I've had a private conversation with Christopher Blum (CCd), who
>     identified a major flaw with our current solution. Having firewalld
>     reload will cause any runtime rules that were set to be lost. This
>     should be avoided at all costs.
>
>     Chris suggested using firewalld dbus commands [1] which could solve
>     this. We have dbus commands to add/remove ports from a service
>     permanently. This is an alternative to updating the service xml files.
>     But we don't see a method to update a service during runtime.
>
>     There are dbus commands to add/remove ports to zones during runtime.
>     But this is not useful as we wouldn't know which zone to apply it to.
>     One of the reasons we chose to use services was this.
>
>     So now we have two questions,
>     1. Is there a way to do a runtime modification of a firewalld service
>     2. If not, is there a easy way to get active zones, which have our
>     services enabled and add/remove ports from them.
>
>     Thanks.
>
>     Kaushal
>
>     [1] https://www.mankier.com/5/firewalld.dbus
>     [2]
>     https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service
>
>
>
>
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20150901/e8a0491f/attachment-0001.html>

More information about the Gluster-devel mailing list