Dmitri, I'd be more than happy to, but I'm having trouble figuring out where it should go. Could you send me a link to a similar design page?
Thanks, Justin On Mon, Apr 7, 2014 at 6:51 PM, Dmitri Pal <d...@redhat.com> wrote: > On 04/07/2014 09:00 AM, Rob Crittenden wrote: >> >> Simo Sorce wrote: >>> >>> On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote: >>>> >>>> On 4.4.2014 09:17, Martin Kosek wrote: >>>>> >>>>> On 04/04/2014 09:04 AM, Justin Brown wrote: >>>>>>> >>>>>>> I would actually do it the opposite way and open the ports after the >>>>>>> FreeIPA server is fully configured. After all, I do not think we want to >>>>>>> open the ports when the server is just half-configured and for example >>>>>>> some >>>>>>> ACIs are missing. >>>>>> >>>>>> >>>>>> My thinking was that nothing would be listening on these ports if the >>>>>> install doesn't succeed, but there's really necessity to modify the >>>>>> firewall configuration early. (All of the internal install >>>>>> communication will be over a local interface (to netfilter) and >>>>>> unblock anyways. I don't have any problem in delaying firewall >>>>>> configuration to the end of install. >>>>> >>>>> >>>>> If ipa-server-install does succeed without configuring the firewalld, >>>>> then we >>>>> will indeed have no other option than to do it early. >>>>> >>>>> I am thinking that we may want to put all the firewalld configuration >>>>> in >>>>> ipaserver/install/firewalldinstance.py, >>>>> and then make the firewalld configuration the actual step of the >>>>> installation. >>>>> Something like: >>>>> >>>>> ... >>>>> Configuring Firewall (firewalld) >>>>> [1/2]: looking up the right zone >>>>> [2/2]: allowing ports >>>>> Done configuring Firewall (firewalld). >>>>> ... >>>>> >>>>> The Service class derived object can be really simple, we would just >>>>> reuse the >>>>> functionality it already has + let us properly hook into it in >>>>> ipa-{server,replica}-install and the uninstallation. >>>>> >>>>> It would also make it easier to split this functionality to >>>>> freeipa-server-firewalld if we chose to in a future. >>>> >>>> >>>> In general I agree with the idea, thank you Justin for working on that! >>>> >>>> I would like to emphasis the necessity to work without NetworkManager >>>> and >>>> FirewallD. New dependencies make Debian folks unhappy ... >>>> >>>> On the other hand, it is perfectly fine to skip firewall configuration >>>> if >>>> NM/FirewallD/DBus is not available. >>>> >>>> Have a nice day! >>> >>> >>> Should be easy, probe for the dbus firewalld service and just skip (not >>> error out) if it is not there. >>> Set a variable in that case that will cause the installer to throw the >>> classic banner we have now which warns you about what ports need to be >>> opened at the end of the install. >> >> >> Probably just need to spit out a large, preferably flashing warning that >> the firewall has not been automatically configured. Perhaps even multiple >> times: one in-line and one at the install summary at the end. >> >> rob >> >> _______________________________________________ >> Freeipa-devel mailing list >> Freeipa-devel@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Thanks for looking into this! > > Would it be possible to summarize this thread in a design page on the wiki? > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel