[Ovirt-devel] [PATCH recipe] Enable firewall on appliance so nat forwarding works

Perry Myers pmyers at redhat.com
Wed Sep 24 07:29:06 UTC 2008 

Firewall was disabled preventing guests from accessing
outside networks.  Enabling the firewall fixes this since the
NAT rule is already defined, but then we need to customize the
firewall to open up the services we want to expose.

That and since NFS uses portmap, we pin the NFS services to
well known ports.

Signed-off-by: Perry Myers <pmyers at redhat.com>
---
 appliances/ovirt/ovirt.pp.in |   72 +++++++++++++++++++++++++++++++++++-------
 1 files changed, 60 insertions(+), 12 deletions(-)

diff --git a/appliances/ovirt/ovirt.pp.in b/appliances/ovirt/ovirt.pp.in
index ae22319..1ee8b48 100644
--- a/appliances/ovirt/ovirt.pp.in
+++ b/appliances/ovirt/ovirt.pp.in
@@ -43,18 +43,38 @@ appliance_base::setup{$appliance_name: hostname => "management.priv.ovirt.org"}
 banners::terminal{$appliance_name: template_file => "ovirt/terminal.erb"}
 banners::login{$appliance_name:}
 postgres::setup{$appliance_name:}
-firewall::setup{$appliance_name: status => "disabled"}
+firewall::setup{$appliance_name: status => "enabled"}
 
-$changes = [
+$net_changes = [
     "set /files/etc/sysconfig/network-scripts/ifcfg-eth0/PEERDNS no",
     "set /files/etc/sysconfig/network-scripts/ifcfg-eth1/DNS1 192.168.50.2"
 ]
 
 augeas {"network_scripts":
-    changes => $changes,
+    changes => $net_changes,
     notify => Service["network"]
 }
 
+$nfs_changes = [
+    "set /files/etc/sysconfig/nfs/MOUNTD_PORT 892"
+]
+
+augeas {"nfs_config":
+    changes => $nfs_changes,
+    notify => Service["nfs"]
+}
+
+$nfslock_changes = [
+    "set /files/etc/sysconfig/nfs/LOCKD_TCPPORT 32803",
+    "set /files/etc/sysconfig/nfs/LOCKD_UDPPORT 32769",
+    "set /files/etc/sysconfig/nfs/STATD_PORT 662"
+]
+
+augeas {"nfslock_config":
+    changes => $nfslock_changes,
+    notify => Service["nfslock"]
+}
+
 file {"/etc/yum.repos.d/ovirt.repo":
     source => "puppet:///ovirt/ovirt.repo"
 }
@@ -78,12 +98,29 @@ firewall_rule {"ovirt_nat":
     action => "MASQUERADE"
 }
 
-firewall_rule {"ssh":
-    table => "filter",
-    chain => "INPUT",
-    destination_port => '22',
-    action => "ACCEPT"
-}
+firewall_rule {"ssh": destination_port => '22'}
+firewall_rule {"http": destination_port => '80'}
+firewall_rule {"https": destination_port => '443'}
+firewall_rule {"ldap": destination_port => '389'}
+firewall_rule {"named": destination_port => '53'}
+firewall_rule {"named-udp": destination_port => '53', protocol => 'udp'}
+firewall_rule {"tgtd": destination_port => '3260'}
+firewall_rule {"nfsd": destination_port => '2049'}
+firewall_rule {"rpcbind": destination_port => '111'}
+firewall_rule {"rpcbind-udp": destination_port => '111', protocol => 'udp'}
+firewall_rule {"host-browser": destination_port => '12120'}
+firewall_rule {"rpc.mountd": destination_port => '892'}
+firewall_rule {"rpc.mountd-udp": destination_port => '892', protocol => 'udp'}
+firewall_rule {"rpc.statd": destination_port => '662'}
+firewall_rule {"rpc.statd-udp": destination_port => '662', protocol => 'udp'}
+firewall_rule {"ntpd": destination_port => '123', protocol => 'udp'}
+firewall_rule {"tftpd": destination_port => '69', protocol => 'udp'}
+firewall_rule {"dhcpd": destination_port => '68', protocol => 'udp'}
+firewall_rule {"bootp": destination_port => '67', protocol => 'udp'}
+firewall_rule {"collectd": destination_port => '25826', protocol => 'udp'}
+firewall_rule {"krb5kdc": destination_port => '88', protocol => 'udp'}
+firewall_rule {"cobblerd": destination_port => "25150"}
+firewall_rule {"cobblerd-mgmt": destination_port => "25151"}
 
 file_replacement{"nat_forwarding" :
     file => "/etc/sysctl.conf",
@@ -103,6 +140,18 @@ service {"ovirt-server-appliance":
     require => [File["/etc/init.d/ovirt-server-appliance"], Service["network"], Service["httpd"]]
 }
 
+service {"nfs":
+    ensure => "running",
+    enable => true,
+    require => [Service["network"], Service[nfslock]]
+}
+
+service {"nfslock":
+    ensure => "running",
+    enable => true,
+    require => [Service["network"]]
+}
+
 file {"/usr/sbin/ovirt-server-appliance-setup":
     content => template("ovirt-server-appliance-setup.erb"),
     mode => 755
@@ -110,7 +159,8 @@ file {"/usr/sbin/ovirt-server-appliance-setup":
 
 single_exec {"ovirt_appliance_installation":
     command => "/usr/sbin/ovirt-server-appliance-setup >> /var/log/ovirt-server-appliance-setup.log",
-    require => [File["/usr/sbin/ovirt-server-appliance-setup"], Service["ovirt-server-appliance"], Firewall_rule ["ovirt_nat"], Firewall_rule["ssh"], Exec["reload-firewall"]]
+    require => [File["/usr/sbin/ovirt-server-appliance-setup"], Service["ovirt-server-appliance"],
+                Exec["reload-firewall"]]
 }
 
 single_exec {"ovirt_installation":
@@ -121,8 +171,6 @@ single_exec {"ovirt_installation":
 #
 # Cobbler Configuration
 #
-firewall_rule{"25150": destination_port => "25150"}
-firewall_rule{"25151": destination_port => "25151"}
 
 # Set the password to be ovirt/ovirt
 file_append{"ovirt_cobbler_user":
-- 
1.5.5.1

More information about the ovirt-devel mailing list