firewall/spec: Create glusterfs firewall service if firewalld installed.

It creates glusterfs firewall service during installation. glusterfs service : It contains all default ports which needs to be opened. During installation glusterfs.xml is copied into firewall service directory(/usr/lib/firewalld/services/). Note: 1.For bricks: It opens the 512 ports, if brick is running out side this range(>49664) then admin need to open the port for that brick. 2.By default this service is not enabled in any of zone. To enable this service(glusterfs) in firewall: 1. Get active zone(s) in node firewall-cmd --get-active-zones 2. Attached this service(glusterfs) to zone(s) firewall-cmd --zone=<zone_name> --add-service=glusterfs --To apply runtime firewall-cmd --permanent --zone=<zone_name> --add-service=glusterfs --To apply permanent Note: we can also use firewall-config which gives GUI to configure firewall. Change-Id: Id97fe620c560fd10599511d751aed11a99ba4da5 BUG: 1253967 Signed-off-by: anand <anekkunt@redhat.com> Reviewed-on: http://review.gluster.org/11989 Reviewed-by: Niels de Vos <ndevos@redhat.com> Tested-by: NetBSD Build System <jenkins@build.gluster.org> Tested-by: Gluster Build System <jenkins@build.gluster.com>
author: anand <anekkunt@redhat.com> 2015-08-22 01:09:53 +0530
committer: Vijay Bellur <vbellur@redhat.com> 2015-09-10 23:44:50 -0700
commit: 7f327d3b4f9222995d2ee78862e48ca44c28411c (patch)
tree: d9bfa0ce8ab13e073fca84114ef8eb5a2307125d
parent: 22cad7b522f223b47d87df6724f34273306ab7cd (diff)
5 files changed, 72 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac
index a46b532fdd2..3245d1fa20c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -211,6 +211,7 @@ AC_CONFIG_FILES([Makefile
                 extras/ocf/volume
                 extras/LinuxRPM/Makefile
                 extras/geo-rep/Makefile
+                extras/firewalld/Makefile
                 extras/hook-scripts/add-brick/Makefile
                 extras/hook-scripts/add-brick/pre/Makefile
                 extras/hook-scripts/add-brick/post/Makefile
@@ -731,6 +732,22 @@ AC_SUBST(ZLIB_CFLAGS)
 AC_SUBST(ZLIB_LIBS)
 # end CDC xlator secion
 
+#start firewalld section
+BUILD_FIREWALLD="no"
+AC_ARG_ENABLE([firewalld],
+              AC_HELP_STRING([--enable-firewalld],
+                             [enable installation configuration for firewalld]),
+              [BUILD_FIREWALLD="${enableval}"], [BUILD_FIREWALLD="no"])
+
+if test "x${BUILD_FIREWALLD}" = "xyes"; then
+        if !(which firewalld 1>/dev/null 2>&1) ; then
+                BUILD_FIREWALLD="no (firewalld not installed)"
+        fi
+fi
+AM_CONDITIONAL([USE_FIREWALLD],test ["x${BUILD_FIREWALLD}" =  "xyes"])
+
+#endof firewald section
+
 # Data tiering requires sqlite
 AC_ARG_ENABLE([tiering],
                AC_HELP_STRING([--disable-tiering],
@@ -1351,4 +1368,5 @@ echo "Encryption xlator    : $BUILD_CRYPT_XLATOR"
 echo "Unit Tests           : $BUILD_UNITTEST"
 echo "POSIX ACLs           : $BUILD_POSIX_ACLS"
 echo "Data Classification  : $BUILD_GFDB"
+echo "firewalld-config     : $BUILD_FIREWALLD"
 echo
diff --git a/extras/Makefile.am b/extras/Makefile.am
index 6c11cb4b7a9..76dbb36ab9e 100644
--- a/extras/Makefile.am
+++ b/extras/Makefile.am
@@ -5,7 +5,7 @@ EditorModedir = $(docdir)
 EditorMode_DATA = glusterfs-mode.el glusterfs.vim
 
 SUBDIRS = init.d systemd benchmarking hook-scripts $(OCF_SUBDIR) LinuxRPM \
-          $(GEOREP_EXTRAS_SUBDIR) ganesha snap_scheduler
+          $(GEOREP_EXTRAS_SUBDIR) ganesha snap_scheduler firewalld
 
 confdir = $(sysconfdir)/glusterfs
 conf_DATA = glusterfs-logrotate gluster-rsyslog-7.2.conf gluster-rsyslog-5.8.conf \
diff --git a/extras/firewalld/Makefile.am b/extras/firewalld/Makefile.am
new file mode 100644
index 00000000000..a5c11b0b783
--- /dev/null
+++ b/extras/firewalld/Makefile.am
@@ -0,0 +1,6 @@
+EXTRA_DIST = glusterfs.xml
+
+if USE_FIREWALLD
+staticdir = /usr/lib/firewalld/services/
+static_DATA = glusterfs.xml
+endif
diff --git a/extras/firewalld/glusterfs.xml b/extras/firewalld/glusterfs.xml
new file mode 100644
index 00000000000..f8efd90c3b5
--- /dev/null
+++ b/extras/firewalld/glusterfs.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+<short>glusterfs-static</short>
+<description>Default ports for gluster-distributed storage</description>
+<port protocol="tcp" port="24007"/>    <!--For glusterd -->
+<port protocol="tcp" port="24008"/>    <!--For glusterd RDMA port management -->
+<port protocol="tcp" port="38465"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38466"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38467"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38468"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="38469"/>    <!--Gluster NFS service -->
+<port protocol="tcp" port="49152-49664"/>  <!--512 ports for bricks -->
+</service>
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
index 93cefe2a1b3..109819f3ecf 100644
--- a/glusterfs.spec.in
+++ b/glusterfs.spec.in
@@ -89,6 +89,10 @@
 %global _with_systemd true
 %endif
 
+%if ( 0%{?fedora} ) || ( 0%{?rhel} && 0%{?rhel} >= 7 )
+%global _with_firewalld --enable-firewalld
+%endif
+
 %if 0%{?_tmpfilesdir:1}
 %define _with_tmpfilesdir --with-tmpfilesdir=%{_tmpfilesdir}
 %else
@@ -229,6 +233,10 @@ BuildRequires:    glib2-devel
 BuildRequires:    libattr-devel
 %endif
 
+%if (0%{?_with_firewalld:1})
+BuildRequires:    firewalld
+%endif
+
 Obsoletes:        hekafs
 Obsoletes:        %{name}-common < %{version}-%{release}
 Obsoletes:        %{name}-core < %{version}-%{release}
@@ -595,6 +603,7 @@ This package provides the translators needed on any GlusterFS client.
         %{?_without_epoll} \
         %{?_without_fusermount} \
         %{?_without_georeplication} \
+        %{?_with_firewalld} \
         %{?_without_ocf} \
         %{?_without_qemu_block} \
         %{?_without_rdma} \
@@ -875,6 +884,15 @@ if [ -e /etc/ld.so.conf.d/glusterfs.conf ]; then
     rm -f /etc/ld.so.conf.d/glusterfs.conf
     /sbin/ldconfig
 fi
+
+%if (0%{?_with_firewalld:1})
+#reload service files if firewalld running
+if $(systemctl is-active firewalld 1>/dev/null 2>&1); then
+  #firewalld-filesystem is not available for rhel7, so command used for reload.
+  firewall-cmd  --reload
+fi
+%endif
+
 pidof -c -o %PPID -x glusterd &> /dev/null
 if [ $? -eq 0 ]; then
     kill -9 `pgrep -f gsyncd.py` &> /dev/null
@@ -932,6 +950,15 @@ fi
 %postun api
 /sbin/ldconfig
 
+%postun server
+%if (0%{?_with_firewalld:1})
+#reload service files if firewalld running
+if $(systemctl is-active firewalld 1>/dev/null 2>&1); then
+    firewall-cmd  --reload
+fi
+%endif
+
+
 %postun libs
 /sbin/ldconfig
 
@@ -1232,11 +1259,18 @@ fi
 %{_libexecdir}/glusterfs/peer_add_secret_pub
 %{_sharedstatedir}/glusterd/hooks/1/delete/post/S57glusterfind-delete-post.py
 
+%if ( 0%{?_with_firewalld:1} )
+/usr/lib/firewalld/services/glusterfs.xml
+%endif
+
 
 %changelog
 * Tue Sep 1 2015 Kaleb S. KEITHLEY <kkeithle@redhat.com>
 - erroneous ghost of ../hooks/1/delete causes install failure (#1258975)
 
+* Tue Aug 25 2015 Anand Nekkunti <anekkunt@redhat.com>
+- adding glusterfs-firewalld service (#1253967)
+
 * Tue Aug 18 2015 Niels de Vos <ndevos@redhat.com>
 - Include missing directories for glusterfind hooks scripts (#1225465)
author	anand <anekkunt@redhat.com>	2015-08-22 01:09:53 +0530
committer	Vijay Bellur <vbellur@redhat.com>	2015-09-10 23:44:50 -0700
commit	7f327d3b4f9222995d2ee78862e48ca44c28411c (patch)
tree	d9bfa0ce8ab13e073fca84114ef8eb5a2307125d
parent	22cad7b522f223b47d87df6724f34273306ab7cd (diff)