Alon Bar-Lev has uploaded a new change for review.

Change subject: network: firewalld: initial add
......................................................................

network: firewalld: initial add

Change-Id: I484902bcc6d85e16454888dbb3cb3a559bb5c8ee
Signed-off-by: Alon Bar-Lev <[email protected]>
---
M ChangeLog
M README.environment
M po/POTFILES.in
M src/otopi/constants.py
M src/plugins/otopi/network/Makefile.am
M src/plugins/otopi/network/__init__.py
A src/plugins/otopi/network/firewalld.py
7 files changed, 217 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/otopi refs/changes/10/15110/1

diff --git a/ChangeLog b/ChangeLog
index 64e5636..f5318b6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,7 @@
  * dialog: support tuples for note like list.
  * build: re-introduce external gettext packaging.
  * services: openrc: do not fail set startup if service missing.
+ * network: add firewalld support.
 
 2013-02-14 - Version 1.0.0
 
diff --git a/README.environment b/README.environment
index 0df8a0e..e768d8a 100644
--- a/README.environment
+++ b/README.environment
@@ -94,6 +94,16 @@
 NETWORK/iptablesRules(multi-str)
     iptables content.
 
+NETWORK/firewalldEnable(bool) [False]
+    Enable set of firewalld.
+
+NETWORK/firewalldAvailable(bool)
+    Firewalld is enabled.
+
+NETWORK_FIREWALLD_SERVICE/<service>
+    Firewalld service to write and enable.
+    <service> is the name and the value is the rule content.
+
 PACKAGER/yumpackagerEnabled(bool) [True]
     Enable yum packager.
 
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 0810896..5aae2ba 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -26,6 +26,7 @@
 ./src/plugins/otopi/dialog/__init__.py
 ./src/plugins/otopi/dialog/machine.py
 ./src/plugins/otopi/dialog/misc.py
+./src/plugins/otopi/network/firewalld.py
 ./src/plugins/otopi/network/hostname.py
 ./src/plugins/otopi/network/__init__.py
 ./src/plugins/otopi/network/iptables.py
diff --git a/src/otopi/constants.py b/src/otopi/constants.py
index d921fd6..7f9fefd 100644
--- a/src/otopi/constants.py
+++ b/src/otopi/constants.py
@@ -150,6 +150,9 @@
     SSH_USER = 'NETWORK/sshUser'
     IPTABLES_ENABLE = 'NETWORK/iptablesEnable'
     IPTABLES_RULES = 'NETWORK/iptablesRules'
+    FIREWALLD_ENABLE = 'NETWORK/firewalldEnable'
+    FIREWALLD_AVAILABLE = 'NETWORK/firewalldAvailable'
+    FIREWALLD_SERVICE_PREFIX = 'NETWORK_FIREWALLD_SERVICE/'
 
 
 @util.export
diff --git a/src/plugins/otopi/network/Makefile.am 
b/src/plugins/otopi/network/Makefile.am
index 0735ffb..7843a2e 100644
--- a/src/plugins/otopi/network/Makefile.am
+++ b/src/plugins/otopi/network/Makefile.am
@@ -29,6 +29,7 @@
        hostname.py \
        ssh.py \
        iptables.py \
+       firewalld.py \
        $(NULL)
 
 clean-local: \
diff --git a/src/plugins/otopi/network/__init__.py 
b/src/plugins/otopi/network/__init__.py
index 3654a00..4403187 100644
--- a/src/plugins/otopi/network/__init__.py
+++ b/src/plugins/otopi/network/__init__.py
@@ -27,6 +27,7 @@
 from . import hostname
 from . import ssh
 from . import iptables
+from . import firewalld
 
 
 @util.export
@@ -34,6 +35,7 @@
     hostname.Plugin(context=context)
     ssh.Plugin(context=context)
     iptables.Plugin(context=context)
+    firewalld.Plugin(context=context)
 
 
 # vim: expandtab tabstop=4 shiftwidth=4
diff --git a/src/plugins/otopi/network/firewalld.py 
b/src/plugins/otopi/network/firewalld.py
new file mode 100644
index 0000000..c6c58a5
--- /dev/null
+++ b/src/plugins/otopi/network/firewalld.py
@@ -0,0 +1,199 @@
+#
+# ovirt-engine-setup -- ovirt engine setup
+# Copyright (C) 2013 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+#
+
+
+"""firewalld plugin."""
+
+import os
+import gettext
+_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup')
+
+
+from otopi import util
+from otopi import plugin
+from otopi import constants
+from otopi import filetransaction
+
+
[email protected]
+class Plugin(plugin.PluginBase):
+    """firewalld plugin.
+
+    Environment:
+        NetEnv.FIREWALLD_ENABLE -- enable firewalld update
+        NetEnv.FIREWALLD_SERVICE_PREFIX -- services key=service value=content
+
+    """
+
+    FIREWALLD_SERVICES_DIR = '/etc/firewalld/services'
+
+    def _isPermanentSupported(self):
+        """
+        check if firewall-cmd support --permanent option
+        """
+        ret = False
+        firewall_cmd = self.command.get(command='firewall-cmd', optional=True)
+        if firewall_cmd is not None:
+            rc, stdout, stderr = self.execute(
+                (
+                    firewall_cmd,
+                    '--help',
+                ),
+                raiseOnError=False,
+            )
+            ret = ''.join(stdout).find('--permanent') != -1
+        return ret
+
+    def _get_active_zones(self):
+        rc, stdout, stderr = self.execute(
+            (
+                self.command.get('firewall-cmd'),
+                '--get-active-zones',
+            ),
+        )
+        zones = {}
+        for line in stdout:
+            zone_name, devices = line.split(':')
+            zones[zone_name] = devices.split()
+        return zones
+
+    def __init__(self, context):
+        super(Plugin, self).__init__(context=context)
+        self._enabled = True
+        self._services = []
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_INIT,
+    )
+    def _init(self):
+        self.environment.setdefault(
+            constants.NetEnv.FIREWALLD_ENABLE,
+            False
+        )
+        self.environment.setdefault(
+            constants.NetEnv.FIREWALLD_AVAILABLE,
+            False
+        )
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_SETUP,
+        condition=lambda self: self._enabled,
+    )
+    def _setup(self):
+        self.command.detect(command='firewall-cmd')
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_CUSTOMIZATION,
+        condition=lambda self: self._enabled,
+        priority=plugin.Stages.PRIORITY_FIRST,
+    )
+    def _customization(self):
+        self._enabled = self.environment[
+            constants.NetEnv.FIREWALLD_AVAILABLE
+        ] = (
+            self.services.exists('firewalld') and
+            self._isPermanentSupported()
+        )
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_VALIDATION,
+        condition=lambda self: self._enabled,
+    )
+    def _validation(self):
+        self._enabled = self.environment[
+            constants.NetEnv.FIREWALLD_ENABLE
+        ]
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_MISC,
+        condition=lambda self: self._enabled,
+    )
+    def _misc(self):
+        for service, content in [
+            (
+                key[len(constants.NetEnv.FIREWALLD_SERVICE_PREFIX):],
+                content,
+            )
+            for key, content in self.environment.items()
+            if key.startswith(
+                constants.NetEnv.FIREWALLD_SERVICE_PREFIX
+            )
+        ]:
+            self._services.append(service)
+            self.environment[constants.CoreEnv.MAIN_TRANSACTION].append(
+                filetransaction.FileTransaction(
+                    name=os.path.join(
+                        self.FIREWALLD_SERVICES_DIR,
+                        '%s.xml' % service,
+                    ),
+                    content=content,
+                    modifiedList=self.environment[
+                        constants.CoreEnv.MODIFIED_FILES
+                    ],
+                )
+            )
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_CLOSEUP,
+        condition=lambda self: self._enabled,
+    )
+    def _closeup(self):
+
+        #
+        # avoid conflicts, diable iptables
+        #
+        if self.services.exists(name='iptables'):
+            self.services.startup(name='iptables', state=False)
+            self.services.state(name='iptables', state=False)
+
+        self.services.state(
+            name='firewalld',
+            state=True,
+        )
+        self.services.startup(name='firewalld', state=True)
+
+        #
+        # Ensure to load the newly written services if firewalld was already
+        # running.
+        #
+        self.execute(
+            (
+                self.command.get('firewall-cmd'),
+                '--reload'
+            )
+        )
+        for zone in self._get_active_zones():
+            for service in self._services:
+                self.execute(
+                    (
+                        self.command.get('firewall-cmd'),
+                        '--zone', zone,
+                        '--permanent',
+                        '--add-service', service,
+                    ),
+                )
+        self.execute(
+            (
+                self.command.get('firewall-cmd'),
+                '--reload'
+            )
+        )
+
+
+# vim: expandtab tabstop=4 shiftwidth=4


--
To view, visit http://gerrit.ovirt.org/15110
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I484902bcc6d85e16454888dbb3cb3a559bb5c8ee
Gerrit-PatchSet: 1
Gerrit-Project: otopi
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to