On 09/04/2015 05:20 PM, Christopher Blum wrote:
Where do you add the services to the zone? I couldn't find that in
your code...
By default it is not attached to any zone, admin has to enable
glusterfs-static service to his/her active zone after installation.
Christopher Blum
Associate Storage Consultant
Global Storage Consulting, Red Hat
+49 711 96 43 7009 <tel:%2B49%20711%2096%2043%207009>
On Fri, Sep 4, 2015 at 5:37 AM, Anand Nekkunti <[email protected]
<mailto:[email protected]>> wrote:
see comments below
On 09/01/2015 02:47 PM, Anand Nekkunti wrote:
Hi All
From firewalld doc and my experiments , I understood that we
don't have any option to add/remove port to/from service
runtime/permanent (this can double for zone) . The only way is
modifying service xml file but it requires firewall reload (which
cause the loosing run time settings).
Is there any way to reload firewall without loosing run
time settings or is there any way to reload particular service.
Regards
Anand.N
On 09/01/2015 12:49 PM, Christopher Blum wrote:
There is a function in the d-bus interface:
getZoneOfInterface(s: interface) → s
that will return the current zone of the interface and you can
then add ports to that interface.
As far as I see it, the hooks get only executed when I start the
volume, right? So when I created and started the volume, but
then change the zone of the interface, we need to detect that (I
guess it would be enough to handle that on reboot) and move the
ports/services to the new zone.
Regarding Org.fedoraproject.firewalld1.config.service - I think
that would need additional tests if that is really only for the
persistent config, or if the changes are also applied in the
running config.
Christopher Blum
Associate Storage Consultant
Global Storage Consulting, Red Hat
+49 711 96 43 7009 <tel:%2B49%20711%2096%2043%207009>
On Tue, Sep 1, 2015 at 8:58 AM, Kaushal M <[email protected]
<mailto:[email protected]>> wrote:
On Mon, Aug 31, 2015 at 5:15 PM, Kaushal M
<[email protected] <mailto:[email protected]>> wrote:
> Hi all,
>
> I wanted know if there is any existing information on how
to manage
> dynamically changing services using firewalld. If there
are none
> existing, could you please let us know if the approach
we're following
> below is correct.
>
> We want to provide firewalld service configuration for
GlusterFS. One
> of the properties of GlusterFS is that it has a set of
fixed ports,
> and a set of dynamic ports, which need to be opened.
>
> We propose to ship 2 firewalld services with GlusterFS.
> - glusterfs-static - This contains the list of static
ports that
> should be opened up. This is placed in
/usr/lib/firewalld/services
> - glusterfs-dynamic - This will contain the list of
dynamic ports.
> This will be shipped empty, and be placed in
/etc/firewalld/services .
> The ports in this service will be kept updated by a couple
of scripts,
> which hook into the glusterfs start/stop events.
>
> The scripts, add or remove ports from the
glusterfs-dyanmic.xml file,
> and call `firewall-cmd --reload` to have firewalld reload
> configuration. We do it this way, instead of using a dbus
call because
> we want the configuration to be persisted, and also
applied live.
>
> We've tested this, and this works. But we'd like to
validate this
> solution with you guys.
>
> Do you see any issues with our approach? Is there anything
we could do
> to improve the solution.
>
> For reference, the glusterfs bug and proposed solution are
available
> at [1] and [2].
>
> Thanks.
>
> Kaushal
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1253967
> [2] http://review.gluster.org/11989
>
> PS: Apologies if I should have posted this to the users
list instead.
I've had a private conversation with Christopher Blum (CCd), who
identified a major flaw with our current solution. Having
firewalld
reload will cause any runtime rules that were set to be
lost. This
should be avoided at all costs.
Chris suggested using firewalld dbus commands [1] which
could solve
this. We have dbus commands to add/remove ports from a service
permanently. This is an alternative to updating the service
xml files.
But we don't see a method to update a service during runtime.
There are dbus commands to add/remove ports to zones during
runtime.
But this is not useful as we wouldn't know which zone to
apply it to.
One of the reasons we chose to use services was this.
So now we have two questions,
1. Is there a way to do a runtime modification of a
firewalld service
it seems firewalld not supporting for run time
service update, but we can add and remove ports
from zone
2. If not, is there a easy way to get active zones, which
have our
services enabled and add/remove ports from them.
we can get the services which are enabled in zone using
below command
firewall-cmd --zone=$zone --list-services
I have updated hook script in my patch[1] , it
identify the zones which have gluster services enabled and it
add/remove the port in zone(s) so that we can avoid
firewall reload. I have tested this script with
different test cases
[1].http://review.gluster.org/#/c/11989/
Thanks.
Kaushal
[1] https://www.mankier.com/5/firewalld.dbus
[2]
https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service
_______________________________________________
Gluster-devel mailing list
[email protected] <mailto:[email protected]>
http://www.gluster.org/mailman/listinfo/gluster-devel
_______________________________________________
Gluster-devel mailing list
[email protected] <mailto:[email protected]>
http://www.gluster.org/mailman/listinfo/gluster-devel
_______________________________________________
Gluster-devel mailing list
[email protected]
http://www.gluster.org/mailman/listinfo/gluster-devel
