Ofer Schreiber has uploaded a new change for review. Change subject: DO NOT MERGE: packaging: engine-setup - add firewalld support ......................................................................
DO NOT MERGE: packaging: engine-setup - add firewalld support Add firewalld support for ovirt-engine-setup. If the user will ask setup to handle firewalld, the setup will open needed ports (JBoss ports + NFS) in all firewalld zones. Change-Id: Ieea93c90ffb90e02b880949a67575495aac5a472 Signed-off-by: Ofer Schreiber <[email protected]> --- M Makefile M packaging/fedora/setup/basedefs.py M packaging/fedora/setup/engine-setup.py A packaging/fedora/setup/engine_firewalld.py A packaging/fedora/setup/firewalld.ovirt.xml M packaging/fedora/spec/ovirt-engine.spec.in 6 files changed, 78 insertions(+), 1 deletion(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/93/10493/1 diff --git a/Makefile b/Makefile index 45f8dc4..1109dfc 100644 --- a/Makefile +++ b/Makefile @@ -209,6 +209,7 @@ @install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/cron.daily @install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/security/limits.d @install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/rc.d/init.d + @install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/firewalld/services @install -dm 755 $(DESTDIR)/usr/lib/systemd/system @install -dm 755 $(DESTDIR)$(SYSCONF_DIR)/tmpfiles.d @@ -247,6 +248,7 @@ # Configuration files: install -m 644 packaging/fedora/setup/engine-config-install.properties $(DESTDIR)$(DATA_DIR)/conf install -m 644 packaging/fedora/setup/iptables.default $(DESTDIR)$(DATA_DIR)/conf + install -m 644 packaging/fedora/setup/firewalld.ovirt.xml $(DESTDIR)$(SYSCONF_DIR)/firewalld/services/ovirt.xml install -m 644 packaging/fedora/setup/nfs.sysconfig $(DESTDIR)$(DATA_DIR)/conf install -m 644 packaging/fedora/setup/ovirt-engine-proxy.conf.in $(DESTDIR)$(DATA_DIR)/conf @@ -254,6 +256,7 @@ install -m 644 packaging/fedora/setup/nfsutils.py $(DESTDIR)$(DATA_DIR)/scripts install -m 644 packaging/fedora/setup/basedefs.py $(DESTDIR)$(DATA_DIR)/scripts install -m 644 packaging/fedora/setup/engine_validators.py $(DESTDIR)$(DATA_DIR)/scripts + install -m 644 packaging/fedora/setup/engine_firewalld.py $(DESTDIR)$(DATA_DIR)/scripts install -m 644 packaging/fedora/setup/setup_params.py $(DESTDIR)$(DATA_DIR)/scripts install -m 644 packaging/fedora/setup/setup_sequences.py $(DESTDIR)$(DATA_DIR)/scripts install -m 644 packaging/fedora/setup/setup_controller.py $(DESTDIR)$(DATA_DIR)/scripts diff --git a/packaging/fedora/setup/basedefs.py b/packaging/fedora/setup/basedefs.py index 6f574f7..381df65 100644 --- a/packaging/fedora/setup/basedefs.py +++ b/packaging/fedora/setup/basedefs.py @@ -83,6 +83,7 @@ FILE_IPTABLES_DEFAULT="%s/ovirt-engine/conf/iptables.default" % DIR_USR_SHARE FILE_IPTABLES_EXAMPLE="/etc/ovirt-engine/iptables.example" FILE_IPTABLES_BACKUP="%s/ovirt-engine/backups/iptables.backup" % DIR_VAR_LIB +FILE_FIREWALLD_SERVICE="/etc/firewalld/services/ovirt.xml" FILE_NFS_SYSCONFIG="%s/ovirt-engine/conf/nfs.sysconfig" % DIR_USR_SHARE FILE_NFS_BACKUP="%s/ovirt-engine/backups/nfs.backup" % DIR_VAR_LIB FILE_ETC_EXPORTS="/etc/exports" diff --git a/packaging/fedora/setup/engine-setup.py b/packaging/fedora/setup/engine-setup.py index f347e78..f7f97e3 100755 --- a/packaging/fedora/setup/engine-setup.py +++ b/packaging/fedora/setup/engine-setup.py @@ -27,6 +27,7 @@ from setup_controller import Controller from Cheetah.Template import Template from miniyum import MiniYum +import engine_firewalld as firewalld # Globals controller = Controller() @@ -164,7 +165,7 @@ 'condition' : [], 'condition_match' : [], 'steps' : [ { 'title' : output_messages.INFO_CFG_IPTABLES, - 'functions' : [_configIptables] }, + 'functions' : [_configFirewalld] }, { 'title' : output_messages.INFO_START_ENGINE, 'functions' : [_startEngine] } ] }, @@ -882,6 +883,47 @@ fileHandler.editParam("authorityInfoAccess", " caIssuers;URI:http://%s:%s/ca.crt"; % (controller.CONF["HOST_FQDN"], controller.CONF["HTTP_PORT"])) fileHandler.close() +def _configFirewalld(): + logging.debug("configuring firewalld") + + # Open xml + servicexml = utils.XMLConfigFileHandler(basedefs.FILE_FIREWALLD_SERVICE) + servicexml.open() + + # Remove all port entries + servicexml.removeNodes("/service/ports") + + # Add ports to service xml + ports = [] + for port in [controller.CONF["HTTP_PORT"], controller.CONF["HTTPS_PORT"]]: + ports.append({ + 'port': port, + 'protocol': ['tcp'] + }) + + if utils.compareStrIgnoreCase(controller.CONF["CONFIG_NFS"], "yes"): + ports += NFS_IPTABLES_PORTS + + for portCfg in ports: + for protocol in portCfg["protocol"]: + servicexml.addNodes("/service", "<port protocol=\"%s\" port=\"%s\"/>" % (protocol, portCfg["port"])) + + # Save firewalld service configuration + servicexml.close() + + # Open ports in all firewall zones if needed + if controller.CONF["OVERRIDE_IPTABLES"] == "yes": + for zone in firewalld.getActiveZones(): + firewalld.addServiceToZone("ovirt", zone) + + # Restart firewalld + service = utils.Service("firewalld") + service.stop(True) + service.start(True) + else: + pass + # print MSG about how to add needed ports + def _configIptables(): logging.debug("configuring iptables") try: diff --git a/packaging/fedora/setup/engine_firewalld.py b/packaging/fedora/setup/engine_firewalld.py new file mode 100644 index 0000000..7c3b017 --- /dev/null +++ b/packaging/fedora/setup/engine_firewalld.py @@ -0,0 +1,19 @@ +from gi.repository import GObject +import sys +sys.modules['gobject'] = GObject +from firewall.client import FirewallClient +from firewall.errors import * + +def getActiveZones(): + fw = FirewallClient() + zones = fw.getActiveZones() + return zones + +def addServiceToZone(service, zone): + fw = FirewallClient() + fw_zone = fw.config().getZoneByName(zone) + fw_settings = fw_zone.getSettings() + fw_settings.addService(service) + fw_zone.update(fw_settings) + + diff --git a/packaging/fedora/setup/firewalld.ovirt.xml b/packaging/fedora/setup/firewalld.ovirt.xml new file mode 100644 index 0000000..ba14296 --- /dev/null +++ b/packaging/fedora/setup/firewalld.ovirt.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="utf-8"?> +<service> + <short>ovirt</short> + <description>UberPortOfDoon</description> + <port protocol="udp" port="8080"/> + <port protocol="tcp" port="8080"/> + <port protocol="tcp" port="8111"/> +</service> diff --git a/packaging/fedora/spec/ovirt-engine.spec.in b/packaging/fedora/spec/ovirt-engine.spec.in index b0b7c02..8f52bfe 100644 --- a/packaging/fedora/spec/ovirt-engine.spec.in +++ b/packaging/fedora/spec/ovirt-engine.spec.in @@ -757,6 +757,7 @@ # Python scripts: %{engine_data}/scripts/basedefs.py* %{engine_data}/scripts/engine_validators.py* +%{engine_data}/scripts/engine_firewalld.py* %{engine_data}/scripts/setup_params.py* %{engine_data}/scripts/setup_sequences.py* %{engine_data}/scripts/setup_controller.py* @@ -770,6 +771,9 @@ %{engine_data}/scripts/post_upgrade.py* %{engine_data}/scripts/add_fn_db_get_async_tasks_function.sql +# Firewalld configuration +%{_sysconfdir}/firewalld/services/ovirt.xml + # Man pages %{_mandir}/man8/engine-setup.* %{_mandir}/man8/engine-upgrade.* -- To view, visit http://gerrit.ovirt.org/10493 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ieea93c90ffb90e02b880949a67575495aac5a472 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Ofer Schreiber <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
