From d51815d7d0b065e447e5f51f26f1f724d2a3406f Mon Sep 17 00:00:00 2001
From: anand <anekkunt@redhat.com>
Date: Sat, 22 Aug 2015 01:09:53 +0530
Subject: [PATCH 326/330] firewall/spec: Create glusterfs firewall service if firewalld installed.

It creates glusterfs firewall service during installation.

glusterfs service : It contains all default ports which needs to be opened.
During installation  glusterfs.xml is copied into firewall service directory(/usr/lib/firewalld/services/).

Note:
1.For bricks: It opens the 512 ports, if brick is running out side this range(>49664) then admin need to open the port
for that brick.
2.By default this service is not enabled in any of zone.

To enable this service(glusterfs) in firewall:

1. Get active zone(s) in node
     firewall-cmd  --get-active-zones

2. Enable this service(glusterfs) to zone(s)
   firewall-cmd  --zone=<zone_name>  --add-service=glusterfs               --To apply runtime
   firewall-cmd  --permanent  --zone=<zone_name>  --add-service=glusterfs  --To apply permanent

Note:
  we can also use firewall-config which gives GUI to configure firewall.

Backportof:
>>http://review.gluster.org/#/c/11989/19
>>Change-Id: Id97fe620c560fd10599511d751aed11a99ba4da5
>>BUG: 1253967

Change-Id: I8fde5d908098d490aa4ab39877aab8dc44ebeacc
BUG: 1253774
Signed-off-by: anand <anekkunt@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/57564
Reviewed-by: Kaushal Madappa <kaushal@redhat.com>
Reviewed-by: Atin Mukherjee <amukherj@redhat.com>
Tested-by: Atin Mukherjee <amukherj@redhat.com>
---
 configure.ac                   |   18 ++++++++++++++++++
 extras/Makefile.am             |    2 +-
 extras/firewalld/Makefile.am   |    6 ++++++
 extras/firewalld/glusterfs.xml |   13 +++++++++++++
 glusterfs.spec.in              |   36 ++++++++++++++++++++++++++++++++++++
 5 files changed, 74 insertions(+), 1 deletions(-)
 create mode 100644 extras/firewalld/Makefile.am
 create mode 100644 extras/firewalld/glusterfs.xml

diff --git a/configure.ac b/configure.ac
index a93c1cd..dfe105f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -211,6 +211,7 @@ AC_CONFIG_FILES([Makefile
                 extras/ocf/volume
                 extras/LinuxRPM/Makefile
                 extras/geo-rep/Makefile
+                extras/firewalld/Makefile
                 extras/hook-scripts/add-brick/Makefile
                 extras/hook-scripts/add-brick/pre/Makefile
                 extras/hook-scripts/add-brick/post/Makefile
@@ -731,6 +732,22 @@ AC_SUBST(ZLIB_CFLAGS)
 AC_SUBST(ZLIB_LIBS)
 # end CDC xlator secion
 
+#start firewalld section
+BUILD_FIREWALLD="no"
+AC_ARG_ENABLE([firewalld],
+              AC_HELP_STRING([--enable-firewalld],
+                             [enable installation configuration for firewalld]),
+              [BUILD_FIREWALLD="${enableval}"], [BUILD_FIREWALLD="no"])
+
+if test "x${BUILD_FIREWALLD}" = "xyes"; then
+        if !(which firewalld 1>/dev/null 2>&1) ; then
+                BUILD_FIREWALLD="no (firewalld not installed)"
+        fi
+fi
+AM_CONDITIONAL([USE_FIREWALLD],test ["x${BUILD_FIREWALLD}" =  "xyes"])
+
+#endof firewald section
+
 # Data tiering requires sqlite
 AC_ARG_ENABLE([tiering],
                AC_HELP_STRING([--disable-tiering],
@@ -1343,4 +1360,5 @@ echo "Encryption xlator    : $BUILD_CRYPT_XLATOR"
 echo "Unit Tests           : $BUILD_UNITTEST"
 echo "POSIX ACLs           : $BUILD_POSIX_ACLS"
 echo "Data Classification  : $BUILD_GFDB"
+echo "firewalld-config     : $BUILD_FIREWALLD"
 echo
diff --git a/extras/Makefile.am b/extras/Makefile.am
index ba2bef3..da99ecc 100644
--- a/extras/Makefile.am
+++ b/extras/Makefile.am
@@ -5,7 +5,7 @@ EditorModedir = $(docdir)
 EditorMode_DATA = glusterfs-mode.el glusterfs.vim
 
 SUBDIRS = init.d systemd benchmarking hook-scripts $(OCF_SUBDIR) LinuxRPM \
-          $(GEOREP_EXTRAS_SUBDIR) ganesha snap_scheduler
+          $(GEOREP_EXTRAS_SUBDIR) ganesha snap_scheduler firewalld
 
 confdir = $(sysconfdir)/glusterfs
 conf_DATA = glusterfs-logrotate gluster-rsyslog-7.2.conf gluster-rsyslog-5.8.conf \
diff --git a/extras/firewalld/Makefile.am b/extras/firewalld/Makefile.am
new file mode 100644
index 0000000..a5c11b0
--- /dev/null
+++ b/extras/firewalld/Makefile.am
@@ -0,0 +1,6 @@
+EXTRA_DIST = glusterfs.xml
+
+if USE_FIREWALLD
+staticdir = /usr/lib/firewalld/services/
+static_DATA = glusterfs.xml
+endif
diff --git a/extras/firewalld/glusterfs.xml b/extras/firewalld/glusterfs.xml
new file mode 100644
index 0000000..f8efd90
--- /dev/null
+++ b/extras/firewalld/glusterfs.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+<short>glusterfs-static</short>
+<description>Default ports for gluster-distributed storage</description>
+<port protocol="tcp" port="24007"/>    <!--For glusterd -->
+<port protocol="tcp" port="24008"/>    <!--For glusterd RDMA port management -->
+<port protocol="tcp" port="38465"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38466"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38467"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38468"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38469"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="49152-49664"/>  <!--512 ports for bricks -->
+</service>
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
index 78bd311..f9e0447 100644
--- a/glusterfs.spec.in
+++ b/glusterfs.spec.in
@@ -103,6 +103,10 @@
 %global _with_systemd true
 %endif
 
+%if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} >= 7 )
+%global _with_firewalld --enable-firewalld
+%endif
+
 %if 0%{?_tmpfilesdir:1}
 %define _with_tmpfilesdir --with-tmpfilesdir=%{_tmpfilesdir}
 %else
@@ -243,6 +247,10 @@ BuildRequires:    glib2-devel
 BuildRequires:    libattr-devel
 %endif
 
+%if (0%{?_with_firewalld:1})
+BuildRequires:    firewalld
+%endif
+
 Obsoletes:        hekafs
 Obsoletes:        %{name}-common < %{version}-%{release}
 Obsoletes:        %{name}-core < %{version}-%{release}
@@ -639,6 +647,7 @@ export LDFLAGS
         %{?_without_epoll} \
         %{?_without_fusermount} \
         %{?_without_georeplication} \
+        %{?_with_firewalld} \
         %{?_without_ocf} \
         %{?_without_qemu_block} \
         %{?_without_rdma} \
@@ -896,6 +905,15 @@ if [ -e /etc/ld.so.conf.d/glusterfs.conf ]; then
     rm -f /etc/ld.so.conf.d/glusterfs.conf
     /sbin/ldconfig
 fi
+
+%if (0%{?_with_firewalld:1})
+#reload service files if firewalld running
+if $(systemctl is-active firewalld 1>/dev/null 2>&1); then
+  #firewalld-filesystem is not available for rhel7, so command used for reload.
+  firewall-cmd  --reload
+fi
+%endif
+
 pidof -c -o %PPID -x glusterd &> /dev/null
 if [ $? -eq 0 ]; then
     kill -9 `pgrep -f gsyncd.py` &> /dev/null
@@ -956,6 +974,17 @@ fi
 %postun api
 /sbin/ldconfig
 
+%if ( 0%{?_build_server} )
+%postun server
+%if (0%{?_with_firewalld:1})
+#reload service files if firewalld running
+if $(systemctl is-active firewalld 1>/dev/null 2>&1); then
+    firewall-cmd  --reload
+fi
+%endif
+%endif
+
+
 %postun libs
 /sbin/ldconfig
 
@@ -1339,6 +1368,10 @@ fi
 %{_libexecdir}/glusterfs/peer_add_secret_pub
 %endif
 
+%if ( 0%{?_with_firewalld:1} )
+/usr/lib/firewalld/services/glusterfs.xml
+%endif
+
 
 ##-----------------------------------------------------------------------------
 ## All %pretrans should be placed here and keep them sorted
@@ -1931,6 +1964,9 @@ end
 
 %changelog
 
+* Tue Aug 25 2015 Anand Nekkunti <anekkunt@redhat.com>
+- adding glusterfs-firewalld service (#1253774)
+
 * Fri Jun 19 2015 Bala.FA <barumuga@redhat.com>
 - exclude libgfdb.pc conditionally for rhel-5 (#1233486)
 
-- 
1.7.1