Alon Bar-Lev has uploaded a new change for review. Change subject: network: firewalld: initial add ......................................................................
network: firewalld: initial add Change-Id: I484902bcc6d85e16454888dbb3cb3a559bb5c8ee Signed-off-by: Alon Bar-Lev <[email protected]> --- M ChangeLog M README.environment M po/POTFILES.in M src/otopi/constants.py M src/plugins/otopi/network/Makefile.am M src/plugins/otopi/network/__init__.py A src/plugins/otopi/network/firewalld.py 7 files changed, 217 insertions(+), 0 deletions(-) git pull ssh://gerrit.ovirt.org:29418/otopi refs/changes/10/15110/1 diff --git a/ChangeLog b/ChangeLog index 64e5636..f5318b6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,7 @@ * dialog: support tuples for note like list. * build: re-introduce external gettext packaging. * services: openrc: do not fail set startup if service missing. + * network: add firewalld support. 2013-02-14 - Version 1.0.0 diff --git a/README.environment b/README.environment index 0df8a0e..e768d8a 100644 --- a/README.environment +++ b/README.environment @@ -94,6 +94,16 @@ NETWORK/iptablesRules(multi-str) iptables content. +NETWORK/firewalldEnable(bool) [False] + Enable set of firewalld. + +NETWORK/firewalldAvailable(bool) + Firewalld is enabled. + +NETWORK_FIREWALLD_SERVICE/<service> + Firewalld service to write and enable. + <service> is the name and the value is the rule content. + PACKAGER/yumpackagerEnabled(bool) [True] Enable yum packager. diff --git a/po/POTFILES.in b/po/POTFILES.in index 0810896..5aae2ba 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -26,6 +26,7 @@ ./src/plugins/otopi/dialog/__init__.py ./src/plugins/otopi/dialog/machine.py ./src/plugins/otopi/dialog/misc.py +./src/plugins/otopi/network/firewalld.py ./src/plugins/otopi/network/hostname.py ./src/plugins/otopi/network/__init__.py ./src/plugins/otopi/network/iptables.py diff --git a/src/otopi/constants.py b/src/otopi/constants.py index d921fd6..7f9fefd 100644 --- a/src/otopi/constants.py +++ b/src/otopi/constants.py @@ -150,6 +150,9 @@ SSH_USER = 'NETWORK/sshUser' IPTABLES_ENABLE = 'NETWORK/iptablesEnable' IPTABLES_RULES = 'NETWORK/iptablesRules' + FIREWALLD_ENABLE = 'NETWORK/firewalldEnable' + FIREWALLD_AVAILABLE = 'NETWORK/firewalldAvailable' + FIREWALLD_SERVICE_PREFIX = 'NETWORK_FIREWALLD_SERVICE/' @util.export diff --git a/src/plugins/otopi/network/Makefile.am b/src/plugins/otopi/network/Makefile.am index 0735ffb..7843a2e 100644 --- a/src/plugins/otopi/network/Makefile.am +++ b/src/plugins/otopi/network/Makefile.am @@ -29,6 +29,7 @@ hostname.py \ ssh.py \ iptables.py \ + firewalld.py \ $(NULL) clean-local: \ diff --git a/src/plugins/otopi/network/__init__.py b/src/plugins/otopi/network/__init__.py index 3654a00..4403187 100644 --- a/src/plugins/otopi/network/__init__.py +++ b/src/plugins/otopi/network/__init__.py @@ -27,6 +27,7 @@ from . import hostname from . import ssh from . import iptables +from . import firewalld @util.export @@ -34,6 +35,7 @@ hostname.Plugin(context=context) ssh.Plugin(context=context) iptables.Plugin(context=context) + firewalld.Plugin(context=context) # vim: expandtab tabstop=4 shiftwidth=4 diff --git a/src/plugins/otopi/network/firewalld.py b/src/plugins/otopi/network/firewalld.py new file mode 100644 index 0000000..c6c58a5 --- /dev/null +++ b/src/plugins/otopi/network/firewalld.py @@ -0,0 +1,199 @@ +# +# ovirt-engine-setup -- ovirt engine setup +# Copyright (C) 2013 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# + + +"""firewalld plugin.""" + +import os +import gettext +_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup') + + +from otopi import util +from otopi import plugin +from otopi import constants +from otopi import filetransaction + + [email protected] +class Plugin(plugin.PluginBase): + """firewalld plugin. + + Environment: + NetEnv.FIREWALLD_ENABLE -- enable firewalld update + NetEnv.FIREWALLD_SERVICE_PREFIX -- services key=service value=content + + """ + + FIREWALLD_SERVICES_DIR = '/etc/firewalld/services' + + def _isPermanentSupported(self): + """ + check if firewall-cmd support --permanent option + """ + ret = False + firewall_cmd = self.command.get(command='firewall-cmd', optional=True) + if firewall_cmd is not None: + rc, stdout, stderr = self.execute( + ( + firewall_cmd, + '--help', + ), + raiseOnError=False, + ) + ret = ''.join(stdout).find('--permanent') != -1 + return ret + + def _get_active_zones(self): + rc, stdout, stderr = self.execute( + ( + self.command.get('firewall-cmd'), + '--get-active-zones', + ), + ) + zones = {} + for line in stdout: + zone_name, devices = line.split(':') + zones[zone_name] = devices.split() + return zones + + def __init__(self, context): + super(Plugin, self).__init__(context=context) + self._enabled = True + self._services = [] + + @plugin.event( + stage=plugin.Stages.STAGE_INIT, + ) + def _init(self): + self.environment.setdefault( + constants.NetEnv.FIREWALLD_ENABLE, + False + ) + self.environment.setdefault( + constants.NetEnv.FIREWALLD_AVAILABLE, + False + ) + + @plugin.event( + stage=plugin.Stages.STAGE_SETUP, + condition=lambda self: self._enabled, + ) + def _setup(self): + self.command.detect(command='firewall-cmd') + + @plugin.event( + stage=plugin.Stages.STAGE_CUSTOMIZATION, + condition=lambda self: self._enabled, + priority=plugin.Stages.PRIORITY_FIRST, + ) + def _customization(self): + self._enabled = self.environment[ + constants.NetEnv.FIREWALLD_AVAILABLE + ] = ( + self.services.exists('firewalld') and + self._isPermanentSupported() + ) + + @plugin.event( + stage=plugin.Stages.STAGE_VALIDATION, + condition=lambda self: self._enabled, + ) + def _validation(self): + self._enabled = self.environment[ + constants.NetEnv.FIREWALLD_ENABLE + ] + + @plugin.event( + stage=plugin.Stages.STAGE_MISC, + condition=lambda self: self._enabled, + ) + def _misc(self): + for service, content in [ + ( + key[len(constants.NetEnv.FIREWALLD_SERVICE_PREFIX):], + content, + ) + for key, content in self.environment.items() + if key.startswith( + constants.NetEnv.FIREWALLD_SERVICE_PREFIX + ) + ]: + self._services.append(service) + self.environment[constants.CoreEnv.MAIN_TRANSACTION].append( + filetransaction.FileTransaction( + name=os.path.join( + self.FIREWALLD_SERVICES_DIR, + '%s.xml' % service, + ), + content=content, + modifiedList=self.environment[ + constants.CoreEnv.MODIFIED_FILES + ], + ) + ) + + @plugin.event( + stage=plugin.Stages.STAGE_CLOSEUP, + condition=lambda self: self._enabled, + ) + def _closeup(self): + + # + # avoid conflicts, diable iptables + # + if self.services.exists(name='iptables'): + self.services.startup(name='iptables', state=False) + self.services.state(name='iptables', state=False) + + self.services.state( + name='firewalld', + state=True, + ) + self.services.startup(name='firewalld', state=True) + + # + # Ensure to load the newly written services if firewalld was already + # running. + # + self.execute( + ( + self.command.get('firewall-cmd'), + '--reload' + ) + ) + for zone in self._get_active_zones(): + for service in self._services: + self.execute( + ( + self.command.get('firewall-cmd'), + '--zone', zone, + '--permanent', + '--add-service', service, + ), + ) + self.execute( + ( + self.command.get('firewall-cmd'), + '--reload' + ) + ) + + +# vim: expandtab tabstop=4 shiftwidth=4 -- To view, visit http://gerrit.ovirt.org/15110 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I484902bcc6d85e16454888dbb3cb3a559bb5c8ee Gerrit-PatchSet: 1 Gerrit-Project: otopi Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
