<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div class="moz-cite-prefix">On 09/04/2015 05:20 PM, Christopher
      Blum wrote:<br>
    </div>
    <blockquote
cite="mid:CAGFr3v2p0PrBwocZDDDcwaCLREaGHBHD2zm2s=7=CavA=eYAHA@mail.gmail.com"
      type="cite">
      <div dir="ltr">Where do you add the services to the zone? I
        couldn't find that in your code...</div>
    </blockquote>
        By default it is not attached to any zone, admin has to enable
    glusterfs-static service to his/her active zone after installation. 
    <br>
    <blockquote
cite="mid:CAGFr3v2p0PrBwocZDDDcwaCLREaGHBHD2zm2s=7=CavA=eYAHA@mail.gmail.com"
      type="cite">
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div dir="ltr">
                        <div dir="ltr">
                          <div style="font-size:small"><span
                              style="font-size:12.8000001907349px">Christopher
                              Blum</span><br>
                          </div>
                          <div style="font-size:small">Associate Storage
                            Consultant</div>
                          <div style="font-size:small">Global Storage
                            Consulting, Red Hat</div>
                          <div style="font-size:small"><br>
                          </div>
                          <div style="font-size:small"><a
                              moz-do-not-send="true"
                              href="tel:%2B49%20711%2096%2043%207009"
                              value="+4971196437009"
                              style="color:rgb(17,85,204);font-size:12.8000001907349px"
                              target="_blank">+49 711 96 43 7009</a></div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Fri, Sep 4, 2015 at 5:37 AM, Anand
          Nekkunti <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:anekkunt@redhat.com" target="_blank">anekkunt@redhat.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> see comments below
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 09/01/2015 02:47 PM, Anand Nekkunti wrote:<br>
                  </div>
                  <blockquote type="cite"> Hi All<br>
                    From firewalld doc and my experiments , I understood
                    that we don't have any option to add/remove port
                    to/from service runtime/permanent  (this can double
                    for  zone) . The only way is modifying service xml
                    file but it requires firewall reload (which cause
                    the loosing run time settings).<br>
                              Is there any way to reload firewall
                    without loosing run time settings or is there any
                    way to reload particular service.<br>
                    <br>
                    Regards<br>
                    Anand.N<br>
                    <br>
                    <div>On 09/01/2015 12:49 PM, Christopher Blum wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">There is a function in the d-bus
                        interface:
                        <div>
                          <p>getZoneOfInterface(s: interface) → s</p>
                        </div>
                        <div>that will return the current zone of the
                          interface and you can then add ports to that
                          interface.</div>
                        <div>As far as I see it, the hooks get only
                          executed when I start the volume, right? So
                          when I created and started the volume, but
                          then change the zone of the interface, we need
                          to detect that (I guess it would be enough to
                          handle that on reboot) and move the
                          ports/services to the new zone.</div>
                        <div><br>
                        </div>
                        <div>Regarding Org.fedoraproject.firewalld1.config.service
                          - I think that would need additional tests if
                          that is really only for the persistent config,
                          or if the changes are also applied in the
                          running config.</div>
                      </div>
                      <div class="gmail_extra"><br clear="all">
                        <div>
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div dir="ltr">
                                    <div dir="ltr">
                                      <div dir="ltr">
                                        <div dir="ltr">
                                          <div style="font-size:small"><span
style="font-size:12.8000001907349px">Christopher Blum</span><br>
                                          </div>
                                          <div style="font-size:small">Associate

                                            Storage Consultant</div>
                                          <div style="font-size:small">Global
                                            Storage Consulting, Red Hat</div>
                                          <div style="font-size:small"><br>
                                          </div>
                                          <div style="font-size:small"><a
                                              moz-do-not-send="true"
                                              href="tel:%2B49%20711%2096%2043%207009"
                                              value="+4971196437009"
                                              style="color:rgb(17,85,204);font-size:12.8000001907349px"
                                              target="_blank">+49 711 96
                                              43 7009</a></div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                        <br>
                        <div class="gmail_quote">On Tue, Sep 1, 2015 at
                          8:58 AM, Kaushal M <span dir="ltr">&lt;<a
                              moz-do-not-send="true"
                              href="mailto:kshlmster@gmail.com"
                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:kshlmster@gmail.com">kshlmster@gmail.com</a></a>&gt;</span>
                          wrote:<br>
                          <blockquote class="gmail_quote"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex">
                            <div>
                              <div>On Mon, Aug 31, 2015 at 5:15 PM,
                                Kaushal M &lt;<a moz-do-not-send="true"
                                  href="mailto:kshlmster@gmail.com"
                                  target="_blank">kshlmster@gmail.com</a>&gt;




                                wrote:<br>
                                &gt; Hi all,<br>
                                &gt;<br>
                                &gt; I wanted know if there is any
                                existing information on how to manage<br>
                                &gt; dynamically changing services using
                                firewalld. If there are none<br>
                                &gt; existing, could you please let us
                                know if the approach we're following<br>
                                &gt; below is correct.<br>
                                &gt;<br>
                                &gt; We want to provide firewalld
                                service configuration for GlusterFS. One<br>
                                &gt; of the properties of GlusterFS is
                                that it has a set of fixed ports,<br>
                                &gt; and a set of dynamic ports, which
                                need to be opened.<br>
                                &gt;<br>
                                &gt; We propose to ship 2 firewalld
                                services with GlusterFS.<br>
                                &gt; - glusterfs-static - This contains
                                the list of static ports that<br>
                                &gt; should be opened up. This is placed
                                in /usr/lib/firewalld/services<br>
                                &gt; - glusterfs-dynamic - This will
                                contain the list of dynamic ports.<br>
                                &gt; This will be shipped empty, and be
                                placed in /etc/firewalld/services .<br>
                                &gt; The ports in this service will be
                                kept updated by a couple of scripts,<br>
                                &gt; which hook into the glusterfs
                                start/stop events.<br>
                                &gt;<br>
                                &gt; The scripts, add or remove ports
                                from the glusterfs-dyanmic.xml file,<br>
                                &gt; and call `firewall-cmd --reload` to
                                have firewalld reload<br>
                                &gt; configuration. We do it this way,
                                instead of using a dbus call because<br>
                                &gt; we want the configuration to be
                                persisted, and also applied live.<br>
                                &gt;<br>
                                &gt; We've tested this, and this works.
                                But we'd like to validate this<br>
                                &gt; solution with you guys.<br>
                                &gt;<br>
                                &gt; Do you see any issues with our
                                approach? Is there anything we could do<br>
                                &gt; to improve the solution.<br>
                                &gt;<br>
                                &gt; For reference, the glusterfs bug
                                and proposed solution are available<br>
                                &gt; at [1] and [2].<br>
                                &gt;<br>
                                &gt; Thanks.<br>
                                &gt;<br>
                                &gt; Kaushal<br>
                                &gt;<br>
                                &gt; [1] <a moz-do-not-send="true"
                                  href="https://bugzilla.redhat.com/show_bug.cgi?id=1253967"
                                  rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1253967</a><br>
                                &gt; [2] <a moz-do-not-send="true"
                                  href="http://review.gluster.org/11989"
                                  rel="noreferrer" target="_blank">http://review.gluster.org/11989</a><br>
                                &gt;<br>
                                &gt; PS: Apologies if I should have
                                posted this to the users list instead.<br>
                                <br>
                              </div>
                            </div>
                            I've had a private conversation with
                            Christopher Blum (CCd), who<br>
                            identified a major flaw with our current
                            solution. Having firewalld<br>
                            reload will cause any runtime rules that
                            were set to be lost. This<br>
                            should be avoided at all costs.<br>
                            <br>
                            Chris suggested using firewalld dbus
                            commands [1] which could solve<br>
                            this. We have dbus commands to add/remove
                            ports from a service<br>
                            permanently. This is an alternative to
                            updating the service xml files.<br>
                            But we don't see a method to update a
                            service during runtime.<br>
                            <br>
                            There are dbus commands to add/remove ports
                            to zones during runtime.<br>
                            But this is not useful as we wouldn't know
                            which zone to apply it to.<br>
                            One of the reasons we chose to use services
                            was this.<br>
                            <br>
                            So now we have two questions,<br>
                            1. Is there a way to do a runtime
                            modification of a firewalld service<br>
                          </blockquote>
                        </div>
                      </div>
                    </blockquote>
                  </blockquote>
                </div>
              </div>
                          it seems  firewalld not supporting for run
              time service update, but  we can add and remove ports<br>
                           from zone<span class=""><br>
                <blockquote type="cite">
                  <blockquote type="cite">
                    <div class="gmail_extra">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex"> 2. If not, is there a
                          easy way to get active zones, which have our<br>
                          services enabled and add/remove ports from
                          them.<br>
                        </blockquote>
                      </div>
                    </div>
                  </blockquote>
                </blockquote>
              </span>            we can get the services which are
              enabled in zone using below command<br>
                          firewall-cmd --zone=$zone --list-services<br>
                         I have updated  hook script in my patch[1] , it
              identify the zones which have gluster services enabled
              and  it add/remove the port in zone(s) so that we can
              avoid <br>
                         firewall reload. I have tested this script with
              different test cases <br>
                          [1].<a moz-do-not-send="true"
                href="http://review.gluster.org/#/c/11989/"
                target="_blank">http://review.gluster.org/#/c/11989/</a><span
                class=""><br>
                              <br>
                <br>
                <blockquote type="cite">
                  <blockquote type="cite">
                    <div class="gmail_extra">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex"> <br>
                          Thanks.<br>
                          <br>
                          Kaushal<br>
                          <br>
                          [1] <a moz-do-not-send="true"
                            href="https://www.mankier.com/5/firewalld.dbus"
                            rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus</a><br>
                          [2] <a moz-do-not-send="true"
href="https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service"
                            rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service</a><br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
Gluster-devel mailing list
<a moz-do-not-send="true" href="mailto:Gluster-devel@gluster.org" target="_blank">Gluster-devel@gluster.org</a>
<a moz-do-not-send="true" href="http://www.gluster.org/mailman/listinfo/gluster-devel" target="_blank">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
                  </blockquote>
                  <br>
                  <br>
                  <fieldset></fieldset>
                  <br>
                  <pre>_______________________________________________
Gluster-devel mailing list
<a moz-do-not-send="true" href="mailto:Gluster-devel@gluster.org" target="_blank">Gluster-devel@gluster.org</a>
<a moz-do-not-send="true" href="http://www.gluster.org/mailman/listinfo/gluster-devel" target="_blank">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
                </blockquote>
                <br>
              </span></div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>