[Gluster-devel] Dynamically changing firewalld services

Anand Nekkunti anekkunt at redhat.com
Fri Sep 4 12:05:07 UTC 2015 


On 09/04/2015 05:20 PM, Christopher Blum wrote:
> Where do you add the services to the zone? I couldn't find that in 
> your code...
     By default it is not attached to any zone, admin has to enable 
glusterfs-static service to his/her active zone after installation.
>
> Christopher Blum
> Associate Storage Consultant
> Global Storage Consulting, Red Hat
>
> +49 711 96 43 7009 <tel:%2B49%20711%2096%2043%207009>
>
> On Fri, Sep 4, 2015 at 5:37 AM, Anand Nekkunti <anekkunt at redhat.com 
> <mailto:anekkunt at redhat.com>> wrote:
>
>     see comments below
>
>
>     On 09/01/2015 02:47 PM, Anand Nekkunti wrote:
>>     Hi All
>>     From firewalld doc and my experiments , I understood that we
>>     don't have any option to add/remove port to/from service
>>     runtime/permanent  (this can double for  zone) . The only way is
>>     modifying service xml file but it requires firewall reload (which
>>     cause the loosing run time settings).
>>               Is there any way to reload firewall without loosing run
>>     time settings or is there any way to reload particular service.
>>
>>     Regards
>>     Anand.N
>>
>>     On 09/01/2015 12:49 PM, Christopher Blum wrote:
>>>     There is a function in the d-bus interface:
>>>
>>>     getZoneOfInterface(s: interface) → s
>>>
>>>     that will return the current zone of the interface and you can
>>>     then add ports to that interface.
>>>     As far as I see it, the hooks get only executed when I start the
>>>     volume, right? So when I created and started the volume, but
>>>     then change the zone of the interface, we need to detect that (I
>>>     guess it would be enough to handle that on reboot) and move the
>>>     ports/services to the new zone.
>>>
>>>     Regarding Org.fedoraproject.firewalld1.config.service - I think
>>>     that would need additional tests if that is really only for the
>>>     persistent config, or if the changes are also applied in the
>>>     running config.
>>>
>>>     Christopher Blum
>>>     Associate Storage Consultant
>>>     Global Storage Consulting, Red Hat
>>>
>>>     +49 711 96 43 7009 <tel:%2B49%20711%2096%2043%207009>
>>>
>>>     On Tue, Sep 1, 2015 at 8:58 AM, Kaushal M <kshlmster at gmail.com
>>>     <mailto:kshlmster at gmail.com>> wrote:
>>>
>>>         On Mon, Aug 31, 2015 at 5:15 PM, Kaushal M
>>>         <kshlmster at gmail.com <mailto:kshlmster at gmail.com>> wrote:
>>>         > Hi all,
>>>         >
>>>         > I wanted know if there is any existing information on how
>>>         to manage
>>>         > dynamically changing services using firewalld. If there
>>>         are none
>>>         > existing, could you please let us know if the approach
>>>         we're following
>>>         > below is correct.
>>>         >
>>>         > We want to provide firewalld service configuration for
>>>         GlusterFS. One
>>>         > of the properties of GlusterFS is that it has a set of
>>>         fixed ports,
>>>         > and a set of dynamic ports, which need to be opened.
>>>         >
>>>         > We propose to ship 2 firewalld services with GlusterFS.
>>>         > - glusterfs-static - This contains the list of static
>>>         ports that
>>>         > should be opened up. This is placed in
>>>         /usr/lib/firewalld/services
>>>         > - glusterfs-dynamic - This will contain the list of
>>>         dynamic ports.
>>>         > This will be shipped empty, and be placed in
>>>         /etc/firewalld/services .
>>>         > The ports in this service will be kept updated by a couple
>>>         of scripts,
>>>         > which hook into the glusterfs start/stop events.
>>>         >
>>>         > The scripts, add or remove ports from the
>>>         glusterfs-dyanmic.xml file,
>>>         > and call `firewall-cmd --reload` to have firewalld reload
>>>         > configuration. We do it this way, instead of using a dbus
>>>         call because
>>>         > we want the configuration to be persisted, and also
>>>         applied live.
>>>         >
>>>         > We've tested this, and this works. But we'd like to
>>>         validate this
>>>         > solution with you guys.
>>>         >
>>>         > Do you see any issues with our approach? Is there anything
>>>         we could do
>>>         > to improve the solution.
>>>         >
>>>         > For reference, the glusterfs bug and proposed solution are
>>>         available
>>>         > at [1] and [2].
>>>         >
>>>         > Thanks.
>>>         >
>>>         > Kaushal
>>>         >
>>>         > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1253967
>>>         > [2] http://review.gluster.org/11989
>>>         >
>>>         > PS: Apologies if I should have posted this to the users
>>>         list instead.
>>>
>>>         I've had a private conversation with Christopher Blum (CCd), who
>>>         identified a major flaw with our current solution. Having
>>>         firewalld
>>>         reload will cause any runtime rules that were set to be
>>>         lost. This
>>>         should be avoided at all costs.
>>>
>>>         Chris suggested using firewalld dbus commands [1] which
>>>         could solve
>>>         this. We have dbus commands to add/remove ports from a service
>>>         permanently. This is an alternative to updating the service
>>>         xml files.
>>>         But we don't see a method to update a service during runtime.
>>>
>>>         There are dbus commands to add/remove ports to zones during
>>>         runtime.
>>>         But this is not useful as we wouldn't know which zone to
>>>         apply it to.
>>>         One of the reasons we chose to use services was this.
>>>
>>>         So now we have two questions,
>>>         1. Is there a way to do a runtime modification of a
>>>         firewalld service
>>>
>                 it seems  firewalld not supporting for run time
>     service update, but  we can add and remove ports
>                  from zone
>>>
>>>         2. If not, is there a easy way to get active zones, which
>>>         have our
>>>         services enabled and add/remove ports from them.
>>>
>                we can get the services which are enabled in zone using
>     below command
>                 firewall-cmd --zone=$zone --list-services
>                I have updated  hook script in my patch[1] , it
>     identify the zones which have gluster services enabled and  it
>     add/remove the port in zone(s) so that we can avoid
>                firewall reload. I have tested this script with
>     different test cases
>                 [1].http://review.gluster.org/#/c/11989/
>
>
>>>
>>>         Thanks.
>>>
>>>         Kaushal
>>>
>>>         [1] https://www.mankier.com/5/firewalld.dbus
>>>         [2]
>>>         https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Gluster-devel mailing list
>>>     Gluster-devel at gluster.org <mailto:Gluster-devel at gluster.org>
>>>     http://www.gluster.org/mailman/listinfo/gluster-devel
>>
>>
>>
>>     _______________________________________________
>>     Gluster-devel mailing list
>>     Gluster-devel at gluster.org <mailto:Gluster-devel at gluster.org>
>>     http://www.gluster.org/mailman/listinfo/gluster-devel
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-devel/attachments/20150904/24e0214f/attachment.html>

More information about the Gluster-devel mailing list