[Freeipa-devel] Ipa-server-install Firewall Support
Dmitri Pal
dpal at redhat.com
Mon Apr 7 23:51:25 UTC 2014
On 04/07/2014 09:00 AM, Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
>>> On 4.4.2014 09:17, Martin Kosek wrote:
>>>> On 04/04/2014 09:04 AM, Justin Brown wrote:
>>>>>> I would actually do it the opposite way and open the ports after
>>>>>> the FreeIPA server is fully configured. After all, I do not think
>>>>>> we want to open the ports when the server is just half-configured
>>>>>> and for example some ACIs are missing.
>>>>>
>>>>> My thinking was that nothing would be listening on these ports if the
>>>>> install doesn't succeed, but there's really necessity to modify the
>>>>> firewall configuration early. (All of the internal install
>>>>> communication will be over a local interface (to netfilter) and
>>>>> unblock anyways. I don't have any problem in delaying firewall
>>>>> configuration to the end of install.
>>>>
>>>> If ipa-server-install does succeed without configuring the
>>>> firewalld, then we
>>>> will indeed have no other option than to do it early.
>>>>
>>>> I am thinking that we may want to put all the firewalld
>>>> configuration in
>>>> ipaserver/install/firewalldinstance.py,
>>>> and then make the firewalld configuration the actual step of the
>>>> installation.
>>>> Something like:
>>>>
>>>> ...
>>>> Configuring Firewall (firewalld)
>>>> [1/2]: looking up the right zone
>>>> [2/2]: allowing ports
>>>> Done configuring Firewall (firewalld).
>>>> ...
>>>>
>>>> The Service class derived object can be really simple, we would
>>>> just reuse the
>>>> functionality it already has + let us properly hook into it in
>>>> ipa-{server,replica}-install and the uninstallation.
>>>>
>>>> It would also make it easier to split this functionality to
>>>> freeipa-server-firewalld if we chose to in a future.
>>>
>>> In general I agree with the idea, thank you Justin for working on that!
>>>
>>> I would like to emphasis the necessity to work without
>>> NetworkManager and
>>> FirewallD. New dependencies make Debian folks unhappy ...
>>>
>>> On the other hand, it is perfectly fine to skip firewall
>>> configuration if
>>> NM/FirewallD/DBus is not available.
>>>
>>> Have a nice day!
>>
>> Should be easy, probe for the dbus firewalld service and just skip (not
>> error out) if it is not there.
>> Set a variable in that case that will cause the installer to throw the
>> classic banner we have now which warns you about what ports need to be
>> opened at the end of the install.
>
> Probably just need to spit out a large, preferably flashing warning
> that the firewall has not been automatically configured. Perhaps even
> multiple times: one in-line and one at the install summary at the end.
>
> rob
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Thanks for looking into this!
Would it be possible to summarize this thread in a design page on the wiki?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel
mailing list