[Freeipa-devel] Ipa-server-install Firewall Support

Martin Kosek mkosek at redhat.com
Wed Apr 16 12:39:43 UTC 2014

On 04/16/2014 09:56 AM, Justin Brown wrote:
> L: This is interesting, and I have a couple of questions on how this
> should work.
> 1) Is there an actual use-case when a tool actually would want to
> check status of a port without correcting it? It seems to me that any
> sort of is_port_open() call that returned False would be immediately
> followed by open_port(). If that's the case, then why not just roll
> them into one operation? There won't be any firewall reload if no
> modifications take place, so there's no cost to combining them. We
> could also find a middle ground where there's only one method with a
> default parameter open_port(..., auto_add=True).

I can imagine situations when we would want to see if a port is open in a
firewall and then ask user if he wants to automatically open it. In such cases,
2 separate calls would be indeed helpful.

> 2) Will these tools be executed as root? To query NM and FirewallD, I
> have to connect to the system bus, which by default, won't allow
> access from other users without additional authorization. If
> non-privileged users need to query the firewall configuration, I'll
> need to look at the DBus policy more closely.

In situations when we are about to manipulate ports, I think it is safe to
assume we are operating under root account. I think you can have this
assumption in your current code and do not deal with additional authorization
at this point.

We can think about this case when we need it.

> 3) Could you point me at a similar tool that has this check and modify
> behavior?

There are many situations in FreeIPA interactive wizards where we have a pattern

do_action = check_something()

if do_action:

For example, ipa-adtrust-install is checking if there are any users without SID
assigned and if there are, it offers to run a task to add them.


More information about the Freeipa-devel mailing list