[Gluster-devel] Dynamically changing firewalld services

Christopher Blum cblum at redhat.com
Fri Sep 4 11:50:34 UTC 2015 

Where do you add the services to the zone? I couldn't find that in your
code...

Christopher Blum
Associate Storage Consultant
Global Storage Consulting, Red Hat

+49 711 96 43 7009

On Fri, Sep 4, 2015 at 5:37 AM, Anand Nekkunti <anekkunt at redhat.com> wrote:

> see comments below
>
>
> On 09/01/2015 02:47 PM, Anand Nekkunti wrote:
>
> Hi All
> From firewalld doc and my experiments , I understood that we don't have
> any option to add/remove port to/from service runtime/permanent  (this can
> double for  zone) . The only way is modifying service xml file but it
> requires firewall reload (which cause the loosing run time settings).
>           Is there any way to reload firewall without loosing run time
> settings or is there any way to reload particular service.
>
> Regards
> Anand.N
>
> On 09/01/2015 12:49 PM, Christopher Blum wrote:
>
> There is a function in the d-bus interface:
>
> getZoneOfInterface(s: interface) → s
> that will return the current zone of the interface and you can then add
> ports to that interface.
> As far as I see it, the hooks get only executed when I start the volume,
> right? So when I created and started the volume, but then change the zone
> of the interface, we need to detect that (I guess it would be enough to
> handle that on reboot) and move the ports/services to the new zone.
>
> Regarding Org.fedoraproject.firewalld1.config.service - I think that would
> need additional tests if that is really only for the persistent config, or
> if the changes are also applied in the running config.
>
> Christopher Blum
> Associate Storage Consultant
> Global Storage Consulting, Red Hat
>
> +49 711 96 43 7009
>
> On Tue, Sep 1, 2015 at 8:58 AM, Kaushal M <kshlmster at gmail.com> wrote:
>
>> On Mon, Aug 31, 2015 at 5:15 PM, Kaushal M <kshlmster at gmail.com> wrote:
>> > Hi all,
>> >
>> > I wanted know if there is any existing information on how to manage
>> > dynamically changing services using firewalld. If there are none
>> > existing, could you please let us know if the approach we're following
>> > below is correct.
>> >
>> > We want to provide firewalld service configuration for GlusterFS. One
>> > of the properties of GlusterFS is that it has a set of fixed ports,
>> > and a set of dynamic ports, which need to be opened.
>> >
>> > We propose to ship 2 firewalld services with GlusterFS.
>> > - glusterfs-static - This contains the list of static ports that
>> > should be opened up. This is placed in /usr/lib/firewalld/services
>> > - glusterfs-dynamic - This will contain the list of dynamic ports.
>> > This will be shipped empty, and be placed in /etc/firewalld/services .
>> > The ports in this service will be kept updated by a couple of scripts,
>> > which hook into the glusterfs start/stop events.
>> >
>> > The scripts, add or remove ports from the glusterfs-dyanmic.xml file,
>> > and call `firewall-cmd --reload` to have firewalld reload
>> > configuration. We do it this way, instead of using a dbus call because
>> > we want the configuration to be persisted, and also applied live.
>> >
>> > We've tested this, and this works. But we'd like to validate this
>> > solution with you guys.
>> >
>> > Do you see any issues with our approach? Is there anything we could do
>> > to improve the solution.
>> >
>> > For reference, the glusterfs bug and proposed solution are available
>> > at [1] and [2].
>> >
>> > Thanks.
>> >
>> > Kaushal
>> >
>> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1253967
>> > [2] http://review.gluster.org/11989
>> >
>> > PS: Apologies if I should have posted this to the users list instead.
>>
>> I've had a private conversation with Christopher Blum (CCd), who
>> identified a major flaw with our current solution. Having firewalld
>> reload will cause any runtime rules that were set to be lost. This
>> should be avoided at all costs.
>>
>> Chris suggested using firewalld dbus commands [1] which could solve
>> this. We have dbus commands to add/remove ports from a service
>> permanently. This is an alternative to updating the service xml files.
>> But we don't see a method to update a service during runtime.
>>
>> There are dbus commands to add/remove ports to zones during runtime.
>> But this is not useful as we wouldn't know which zone to apply it to.
>> One of the reasons we chose to use services was this.
>>
>> So now we have two questions,
>> 1. Is there a way to do a runtime modification of a firewalld service
>>
>             it seems  firewalld not supporting for run time service
> update, but  we can add and remove ports
>              from zone
>
> 2. If not, is there a easy way to get active zones, which have our
>> services enabled and add/remove ports from them.
>>
>            we can get the services which are enabled in zone using below
> command
>             firewall-cmd --zone=$zone --list-services
>            I have updated  hook script in my patch[1] , it identify the
> zones which have gluster services enabled and  it add/remove the port in
> zone(s) so that we can avoid
>            firewall reload. I have tested this script with different test
> cases
>             [1].http://review.gluster.org/#/c/11989/
>
>
>
>> Thanks.
>>
>> Kaushal
>>
>> [1] https://www.mankier.com/5/firewalld.dbus
>> [2]
>> https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service
>>
>
>
>
> _______________________________________________
> Gluster-devel mailing listGluster-devel at gluster.orghttp://www.gluster.org/mailman/listinfo/gluster-devel
>
>
>
>
> _______________________________________________
> Gluster-devel mailing listGluster-devel at gluster.orghttp://www.gluster.org/mailman/listinfo/gluster-devel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20150904/92f848b4/attachment.html>

More information about the Gluster-devel mailing list