[Freeipa-devel] Ipa-server-install Firewall Support

Dmitri Pal dpal at redhat.com
Mon Apr 7 23:51:25 UTC 2014

On 04/07/2014 09:00 AM, Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
>>> On 4.4.2014 09:17, Martin Kosek wrote:
>>>> On 04/04/2014 09:04 AM, Justin Brown wrote:
>>>>>> I would actually do it the opposite way and open the ports after 
>>>>>> the FreeIPA server is fully configured. After all, I do not think 
>>>>>> we want to open the ports when the server is just half-configured 
>>>>>> and for example some ACIs are missing.
>>>>> My thinking was that nothing would be listening on these ports if the
>>>>> install doesn't succeed, but there's really necessity to modify the
>>>>> firewall configuration early. (All of the internal install
>>>>> communication will be over a local interface (to netfilter) and
>>>>> unblock anyways. I don't have any problem in delaying firewall
>>>>> configuration to the end of install.
>>>> If ipa-server-install does succeed without configuring the 
>>>> firewalld, then we
>>>> will indeed have no other option than to do it early.
>>>> I am  thinking that we may want to put all the firewalld 
>>>> configuration in
>>>> ipaserver/install/firewalldinstance.py,
>>>> and then make the firewalld configuration the actual step of the 
>>>> installation.
>>>> Something like:
>>>> ...
>>>> Configuring Firewall (firewalld)
>>>>     [1/2]: looking up the right zone
>>>>     [2/2]: allowing ports
>>>> Done configuring Firewall (firewalld).
>>>> ...
>>>> The Service class derived object can be really simple, we would 
>>>> just reuse the
>>>> functionality it already has + let us properly hook into it in
>>>> ipa-{server,replica}-install and the uninstallation.
>>>> It would also make it easier to split this functionality to
>>>> freeipa-server-firewalld if we chose to in a future.
>>> In general I agree with the idea, thank you Justin for working on that!
>>> I would like to emphasis the necessity to work without 
>>> NetworkManager and
>>> FirewallD. New dependencies make Debian folks unhappy ...
>>> On the other hand, it is perfectly fine to skip firewall 
>>> configuration if
>>> NM/FirewallD/DBus is not available.
>>> Have a nice day!
>> Should be easy, probe for the dbus firewalld service and just skip (not
>> error out) if it is not there.
>> Set a variable in that case that will cause the installer to throw the
>> classic banner we have now which warns you about what ports need to be
>> opened at the end of the install.
> Probably just need to spit out a large, preferably flashing warning 
> that the firewall has not been automatically configured. Perhaps even 
> multiple times: one in-line and one at the install summary at the end.
> rob
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

Thanks for looking into this!

Would it be possible to summarize this thread in a design page on the wiki?

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-devel mailing list