[Freeipa-devel] Ipa-server-install Firewall Support
James
purpleidea at gmail.com
Tue Apr 8 15:51:07 UTC 2014
Not sure where to jump in but I had one comment:
Puppet-IPA [1] + Shorewall make a lovely pair :)
Cheers,
James
[1] https://github.com/purpleidea/puppet-ipa
On Mon, Apr 7, 2014 at 7:51 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 04/07/2014 09:00 AM, Rob Crittenden wrote:
>>
>> Simo Sorce wrote:
>>>
>>> On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
>>>>
>>>> On 4.4.2014 09:17, Martin Kosek wrote:
>>>>>
>>>>> On 04/04/2014 09:04 AM, Justin Brown wrote:
>>>>>>>
>>>>>>> I would actually do it the opposite way and open the ports after the
>>>>>>> FreeIPA server is fully configured. After all, I do not think we want to
>>>>>>> open the ports when the server is just half-configured and for example some
>>>>>>> ACIs are missing.
>>>>>>
>>>>>>
>>>>>> My thinking was that nothing would be listening on these ports if the
>>>>>> install doesn't succeed, but there's really necessity to modify the
>>>>>> firewall configuration early. (All of the internal install
>>>>>> communication will be over a local interface (to netfilter) and
>>>>>> unblock anyways. I don't have any problem in delaying firewall
>>>>>> configuration to the end of install.
>>>>>
>>>>>
>>>>> If ipa-server-install does succeed without configuring the firewalld,
>>>>> then we
>>>>> will indeed have no other option than to do it early.
>>>>>
>>>>> I am thinking that we may want to put all the firewalld configuration
>>>>> in
>>>>> ipaserver/install/firewalldinstance.py,
>>>>> and then make the firewalld configuration the actual step of the
>>>>> installation.
>>>>> Something like:
>>>>>
>>>>> ...
>>>>> Configuring Firewall (firewalld)
>>>>> [1/2]: looking up the right zone
>>>>> [2/2]: allowing ports
>>>>> Done configuring Firewall (firewalld).
>>>>> ...
>>>>>
>>>>> The Service class derived object can be really simple, we would just
>>>>> reuse the
>>>>> functionality it already has + let us properly hook into it in
>>>>> ipa-{server,replica}-install and the uninstallation.
>>>>>
>>>>> It would also make it easier to split this functionality to
>>>>> freeipa-server-firewalld if we chose to in a future.
>>>>
>>>>
>>>> In general I agree with the idea, thank you Justin for working on that!
>>>>
>>>> I would like to emphasis the necessity to work without NetworkManager
>>>> and
>>>> FirewallD. New dependencies make Debian folks unhappy ...
>>>>
>>>> On the other hand, it is perfectly fine to skip firewall configuration
>>>> if
>>>> NM/FirewallD/DBus is not available.
>>>>
>>>> Have a nice day!
>>>
>>>
>>> Should be easy, probe for the dbus firewalld service and just skip (not
>>> error out) if it is not there.
>>> Set a variable in that case that will cause the installer to throw the
>>> classic banner we have now which warns you about what ports need to be
>>> opened at the end of the install.
>>
>>
>> Probably just need to spit out a large, preferably flashing warning that
>> the firewall has not been automatically configured. Perhaps even multiple
>> times: one in-line and one at the install summary at the end.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
> Thanks for looking into this!
>
> Would it be possible to summarize this thread in a design page on the wiki?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list