From d51815d7d0b065e447e5f51f26f1f724d2a3406f Mon Sep 17 00:00:00 2001

From: anand <anekkunt@redhat.com>

Date: Sat, 22 Aug 2015 01:09:53 +0530

Subject: [PATCH 326/330] firewall/spec: Create glusterfs firewall service if firewalld installed.

It creates glusterfs firewall service during installation.

glusterfs service : It contains all default ports which needs to be opened.

During installation  glusterfs.xml is copied into firewall service directory(/usr/lib/firewalld/services/).

Note:

1.For bricks: It opens the 512 ports, if brick is running out side this range(>49664) then admin need to open the port

for that brick.

2.By default this service is not enabled in any of zone.

To enable this service(glusterfs) in firewall:

1. Get active zone(s) in node

     firewall-cmd  --get-active-zones

2. Enable this service(glusterfs) to zone(s)

   firewall-cmd  --zone=<zone_name>  --add-service=glusterfs               --To apply runtime

   firewall-cmd  --permanent  --zone=<zone_name>  --add-service=glusterfs  --To apply permanent

Note:

  we can also use firewall-config which gives GUI to configure firewall.

Backportof:

>>http://review.gluster.org/#/c/11989/19

>>Change-Id: Id97fe620c560fd10599511d751aed11a99ba4da5

>>BUG: 1253967

Change-Id: I8fde5d908098d490aa4ab39877aab8dc44ebeacc

BUG: 1253774

Signed-off-by: anand <anekkunt@redhat.com>

Reviewed-on: https://code.engineering.redhat.com/gerrit/57564

Reviewed-by: Kaushal Madappa <kaushal@redhat.com>

Reviewed-by: Atin Mukherjee <amukherj@redhat.com>

Tested-by: Atin Mukherjee <amukherj@redhat.com>

---

 configure.ac                   |   18 ++++++++++++++++++

 extras/Makefile.am             |    2 +-

 extras/firewalld/Makefile.am   |    6 ++++++

 extras/firewalld/glusterfs.xml |   13 +++++++++++++

 glusterfs.spec.in              |   36 ++++++++++++++++++++++++++++++++++++

 5 files changed, 74 insertions(+), 1 deletions(-)

 create mode 100644 extras/firewalld/Makefile.am

 create mode 100644 extras/firewalld/glusterfs.xml

diff --git a/configure.ac b/configure.ac

index a93c1cd..dfe105f 100644

--- a/configure.ac

+++ b/configure.ac

@@ -211,6 +211,7 @@ AC_CONFIG_FILES([Makefile

                 extras/ocf/volume

                 extras/LinuxRPM/Makefile

                 extras/geo-rep/Makefile

+                extras/firewalld/Makefile

                 extras/hook-scripts/add-brick/Makefile

                 extras/hook-scripts/add-brick/pre/Makefile

                 extras/hook-scripts/add-brick/post/Makefile

@@ -731,6 +732,22 @@ AC_SUBST(ZLIB_CFLAGS)

 AC_SUBST(ZLIB_LIBS)

 # end CDC xlator secion

+#start firewalld section

+BUILD_FIREWALLD="no"

+AC_ARG_ENABLE([firewalld],

+              AC_HELP_STRING([--enable-firewalld],

+                             [enable installation configuration for firewalld]),

+              [BUILD_FIREWALLD="${enableval}"], [BUILD_FIREWALLD="no"])

+

+if test "x${BUILD_FIREWALLD}" = "xyes"; then

+        if !(which firewalld 1>/dev/null 2>&1) ; then

+                BUILD_FIREWALLD="no (firewalld not installed)"

+        fi

+fi

+AM_CONDITIONAL([USE_FIREWALLD],test ["x${BUILD_FIREWALLD}" =  "xyes"])

+

+#endof firewald section

+

 # Data tiering requires sqlite

 AC_ARG_ENABLE([tiering],

                AC_HELP_STRING([--disable-tiering],

@@ -1343,4 +1360,5 @@ echo "Encryption xlator    : $BUILD_CRYPT_XLATOR"

 echo "Unit Tests           : $BUILD_UNITTEST"

 echo "POSIX ACLs           : $BUILD_POSIX_ACLS"

 echo "Data Classification  : $BUILD_GFDB"

+echo "firewalld-config     : $BUILD_FIREWALLD"

 echo

diff --git a/extras/Makefile.am b/extras/Makefile.am

index ba2bef3..da99ecc 100644

--- a/extras/Makefile.am

+++ b/extras/Makefile.am

@@ -5,7 +5,7 @@ EditorModedir = $(docdir)

 EditorMode_DATA = glusterfs-mode.el glusterfs.vim

 SUBDIRS = init.d systemd benchmarking hook-scripts $(OCF_SUBDIR) LinuxRPM \

-          $(GEOREP_EXTRAS_SUBDIR) ganesha snap_scheduler

+          $(GEOREP_EXTRAS_SUBDIR) ganesha snap_scheduler firewalld

 confdir = $(sysconfdir)/glusterfs

 conf_DATA = glusterfs-logrotate gluster-rsyslog-7.2.conf gluster-rsyslog-5.8.conf \

diff --git a/extras/firewalld/Makefile.am b/extras/firewalld/Makefile.am

new file mode 100644

index 0000000..a5c11b0

--- /dev/null

+++ b/extras/firewalld/Makefile.am

@@ -0,0 +1,6 @@

+EXTRA_DIST = glusterfs.xml

+

+if USE_FIREWALLD

+staticdir = /usr/lib/firewalld/services/

+static_DATA = glusterfs.xml

+endif

diff --git a/extras/firewalld/glusterfs.xml b/extras/firewalld/glusterfs.xml

new file mode 100644

index 0000000..f8efd90

--- /dev/null

+++ b/extras/firewalld/glusterfs.xml

@@ -0,0 +1,13 @@

+

+<service>

+<short>glusterfs-static</short>

+<description>Default ports for gluster-distributed storage</description>

+<port protocol="tcp" port="24007"/>    

+<port protocol="tcp" port="24008"/>    

+<port protocol="tcp" port="38465"/>    

+<port protocol="tcp" port="38466"/>    

+<port protocol="tcp" port="38467"/>    

+<port protocol="tcp" port="38468"/>    

+<port protocol="tcp" port="38469"/>    

+<port protocol="tcp" port="49152-49664"/>  

+</service>

diff --git a/glusterfs.spec.in b/glusterfs.spec.in

index 78bd311..f9e0447 100644

--- a/glusterfs.spec.in

+++ b/glusterfs.spec.in

@@ -103,6 +103,10 @@

 %global _with_systemd true

 %endif

+%if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} >= 7 )

+%global _with_firewalld --enable-firewalld

+%endif

+

 %if 0%{?_tmpfilesdir:1}

 %define _with_tmpfilesdir --with-tmpfilesdir=%{_tmpfilesdir}

 %else

@@ -243,6 +247,10 @@ BuildRequires:    glib2-devel

 BuildRequires:    libattr-devel

 %endif

+%if (0%{?_with_firewalld:1})

+BuildRequires:    firewalld

+%endif

+

 Obsoletes:        hekafs

 Obsoletes:        %{name}-common < %{version}-%{release}

 Obsoletes:        %{name}-core < %{version}-%{release}

@@ -639,6 +647,7 @@ export LDFLAGS

         %{?_without_epoll} \

         %{?_without_fusermount} \

         %{?_without_georeplication} \

+        %{?_with_firewalld} \

         %{?_without_ocf} \

         %{?_without_qemu_block} \

         %{?_without_rdma} \

@@ -896,6 +905,15 @@ if [ -e /etc/ld.so.conf.d/glusterfs.conf ]; then

     rm -f /etc/ld.so.conf.d/glusterfs.conf

     /sbin/ldconfig

 fi

+

+%if (0%{?_with_firewalld:1})

+#reload service files if firewalld running

+if $(systemctl is-active firewalld 1>/dev/null 2>&1;; then

+  #firewalld-filesystem is not available for rhel7, so command used for reload.

+  firewall-cmd  --reload

+fi

+%endif

+

 pidof -c -o %PPID -x glusterd &> /dev/null

 if [ $? -eq 0 ]; then

     kill -9 `pgrep -f gsyncd.py` &> /dev/null

@@ -956,6 +974,17 @@ fi

 %postun api

 /sbin/ldconfig

+%if ( 0%{?_build_server} )

+%postun server

+%if (0%{?_with_firewalld:1})

+#reload service files if firewalld running

+if $(systemctl is-active firewalld 1>/dev/null 2>&1;; then

+    firewall-cmd  --reload

+fi

+%endif

+%endif

+

+

 %postun libs

 /sbin/ldconfig

@@ -1339,6 +1368,10 @@ fi

 %{_libexecdir}/glusterfs/peer_add_secret_pub

 %endif

+%if ( 0%{?_with_firewalld:1} )

+/usr/lib/firewalld/services/glusterfs.xml

+%endif

+

 ##-----------------------------------------------------------------------------

 ## All %pretrans should be placed here and keep them sorted

@@ -1931,6 +1964,9 @@ end

 %changelog

+* Tue Aug 25 2015 Anand Nekkunti <anekkunt@redhat.com>

+- adding glusterfs-firewalld service (#1253774)

+

 * Fri Jun 19 2015 Bala.FA <barumuga@redhat.com>

 - exclude libgfdb.pc conditionally for rhel-5 (#1233486)

-- 

1.7.1