[Freeipa-devel] Ipa-server-install Firewall Support

Rob Crittenden rcritten at redhat.com
Tue Apr 8 18:42:02 UTC 2014 

Justin Brown wrote:
> Dmitri,
>
> I'd be more than happy to, but I'm having trouble figuring out where
> it should go. Could you send me a link to a similar design page?
>

I'd put it under here: http://www.freeipa.org/page/V4_Proposals

There is a template at http://www.freeipa.org/page/Feature_template

So maybe something like http://www.freeipa.org/page/V4/Firewalld

rob

> Thanks,
> Justin
>
> On Mon, Apr 7, 2014 at 6:51 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> On 04/07/2014 09:00 AM, Rob Crittenden wrote:
>>>
>>> Simo Sorce wrote:
>>>>
>>>> On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
>>>>>
>>>>> On 4.4.2014 09:17, Martin Kosek wrote:
>>>>>>
>>>>>> On 04/04/2014 09:04 AM, Justin Brown wrote:
>>>>>>>>
>>>>>>>> I would actually do it the opposite way and open the ports after the
>>>>>>>> FreeIPA server is fully configured. After all, I do not think we want to
>>>>>>>> open the ports when the server is just half-configured and for example some
>>>>>>>> ACIs are missing.
>>>>>>>
>>>>>>>
>>>>>>> My thinking was that nothing would be listening on these ports if the
>>>>>>> install doesn't succeed, but there's really necessity to modify the
>>>>>>> firewall configuration early. (All of the internal install
>>>>>>> communication will be over a local interface (to netfilter) and
>>>>>>> unblock anyways. I don't have any problem in delaying firewall
>>>>>>> configuration to the end of install.
>>>>>>
>>>>>>
>>>>>> If ipa-server-install does succeed without configuring the firewalld,
>>>>>> then we
>>>>>> will indeed have no other option than to do it early.
>>>>>>
>>>>>> I am  thinking that we may want to put all the firewalld configuration
>>>>>> in
>>>>>> ipaserver/install/firewalldinstance.py,
>>>>>> and then make the firewalld configuration the actual step of the
>>>>>> installation.
>>>>>> Something like:
>>>>>>
>>>>>> ...
>>>>>> Configuring Firewall (firewalld)
>>>>>>      [1/2]: looking up the right zone
>>>>>>      [2/2]: allowing ports
>>>>>> Done configuring Firewall (firewalld).
>>>>>> ...
>>>>>>
>>>>>> The Service class derived object can be really simple, we would just
>>>>>> reuse the
>>>>>> functionality it already has + let us properly hook into it in
>>>>>> ipa-{server,replica}-install and the uninstallation.
>>>>>>
>>>>>> It would also make it easier to split this functionality to
>>>>>> freeipa-server-firewalld if we chose to in a future.
>>>>>
>>>>>
>>>>> In general I agree with the idea, thank you Justin for working on that!
>>>>>
>>>>> I would like to emphasis the necessity to work without NetworkManager
>>>>> and
>>>>> FirewallD. New dependencies make Debian folks unhappy ...
>>>>>
>>>>> On the other hand, it is perfectly fine to skip firewall configuration
>>>>> if
>>>>> NM/FirewallD/DBus is not available.
>>>>>
>>>>> Have a nice day!
>>>>
>>>>
>>>> Should be easy, probe for the dbus firewalld service and just skip (not
>>>> error out) if it is not there.
>>>> Set a variable in that case that will cause the installer to throw the
>>>> classic banner we have now which warns you about what ports need to be
>>>> opened at the end of the install.
>>>
>>>
>>> Probably just need to spit out a large, preferably flashing warning that
>>> the firewall has not been automatically configured. Perhaps even multiple
>>> times: one in-line and one at the install summary at the end.
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>> Thanks for looking into this!
>>
>> Would it be possible to summarize this thread in a design page on the wiki?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

More information about the Freeipa-devel mailing list