<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 09/04/2015 05:20 PM, Christopher
Blum wrote:<br>
</div>
<blockquote
cite="mid:CAGFr3v2p0PrBwocZDDDcwaCLREaGHBHD2zm2s=7=CavA=eYAHA@mail.gmail.com"
type="cite">
<div dir="ltr">Where do you add the services to the zone? I
couldn't find that in your code...</div>
</blockquote>
By default it is not attached to any zone, admin has to enable
glusterfs-static service to his/her active zone after installation.
<br>
<blockquote
cite="mid:CAGFr3v2p0PrBwocZDDDcwaCLREaGHBHD2zm2s=7=CavA=eYAHA@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:small"><span
style="font-size:12.8000001907349px">Christopher
Blum</span><br>
</div>
<div style="font-size:small">Associate Storage
Consultant</div>
<div style="font-size:small">Global Storage
Consulting, Red Hat</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small"><a
moz-do-not-send="true"
href="tel:%2B49%20711%2096%2043%207009"
value="+4971196437009"
style="color:rgb(17,85,204);font-size:12.8000001907349px"
target="_blank">+49 711 96 43 7009</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Fri, Sep 4, 2015 at 5:37 AM, Anand
Nekkunti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:anekkunt@redhat.com" target="_blank">anekkunt@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> see comments below
<div>
<div class="h5"><br>
<br>
<div>On 09/01/2015 02:47 PM, Anand Nekkunti wrote:<br>
</div>
<blockquote type="cite"> Hi All<br>
From firewalld doc and my experiments , I understood
that we don't have any option to add/remove port
to/from service runtime/permanent (this can double
for zone) . The only way is modifying service xml
file but it requires firewall reload (which cause
the loosing run time settings).<br>
Is there any way to reload firewall
without loosing run time settings or is there any
way to reload particular service.<br>
<br>
Regards<br>
Anand.N<br>
<br>
<div>On 09/01/2015 12:49 PM, Christopher Blum wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">There is a function in the d-bus
interface:
<div>
<p>getZoneOfInterface(s: interface) → s</p>
</div>
<div>that will return the current zone of the
interface and you can then add ports to that
interface.</div>
<div>As far as I see it, the hooks get only
executed when I start the volume, right? So
when I created and started the volume, but
then change the zone of the interface, we need
to detect that (I guess it would be enough to
handle that on reboot) and move the
ports/services to the new zone.</div>
<div><br>
</div>
<div>Regarding Org.fedoraproject.firewalld1.config.service
- I think that would need additional tests if
that is really only for the persistent config,
or if the changes are also applied in the
running config.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:small"><span
style="font-size:12.8000001907349px">Christopher Blum</span><br>
</div>
<div style="font-size:small">Associate
Storage Consultant</div>
<div style="font-size:small">Global
Storage Consulting, Red Hat</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small"><a
moz-do-not-send="true"
href="tel:%2B49%20711%2096%2043%207009"
value="+4971196437009"
style="color:rgb(17,85,204);font-size:12.8000001907349px"
target="_blank">+49 711 96
43 7009</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, Sep 1, 2015 at
8:58 AM, Kaushal M <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:kshlmster@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:kshlmster@gmail.com">kshlmster@gmail.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div>
<div>On Mon, Aug 31, 2015 at 5:15 PM,
Kaushal M <<a moz-do-not-send="true"
href="mailto:kshlmster@gmail.com"
target="_blank">kshlmster@gmail.com</a>>
wrote:<br>
> Hi all,<br>
><br>
> I wanted know if there is any
existing information on how to manage<br>
> dynamically changing services using
firewalld. If there are none<br>
> existing, could you please let us
know if the approach we're following<br>
> below is correct.<br>
><br>
> We want to provide firewalld
service configuration for GlusterFS. One<br>
> of the properties of GlusterFS is
that it has a set of fixed ports,<br>
> and a set of dynamic ports, which
need to be opened.<br>
><br>
> We propose to ship 2 firewalld
services with GlusterFS.<br>
> - glusterfs-static - This contains
the list of static ports that<br>
> should be opened up. This is placed
in /usr/lib/firewalld/services<br>
> - glusterfs-dynamic - This will
contain the list of dynamic ports.<br>
> This will be shipped empty, and be
placed in /etc/firewalld/services .<br>
> The ports in this service will be
kept updated by a couple of scripts,<br>
> which hook into the glusterfs
start/stop events.<br>
><br>
> The scripts, add or remove ports
from the glusterfs-dyanmic.xml file,<br>
> and call `firewall-cmd --reload` to
have firewalld reload<br>
> configuration. We do it this way,
instead of using a dbus call because<br>
> we want the configuration to be
persisted, and also applied live.<br>
><br>
> We've tested this, and this works.
But we'd like to validate this<br>
> solution with you guys.<br>
><br>
> Do you see any issues with our
approach? Is there anything we could do<br>
> to improve the solution.<br>
><br>
> For reference, the glusterfs bug
and proposed solution are available<br>
> at [1] and [2].<br>
><br>
> Thanks.<br>
><br>
> Kaushal<br>
><br>
> [1] <a moz-do-not-send="true"
href="https://bugzilla.redhat.com/show_bug.cgi?id=1253967"
rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1253967</a><br>
> [2] <a moz-do-not-send="true"
href="http://review.gluster.org/11989"
rel="noreferrer" target="_blank">http://review.gluster.org/11989</a><br>
><br>
> PS: Apologies if I should have
posted this to the users list instead.<br>
<br>
</div>
</div>
I've had a private conversation with
Christopher Blum (CCd), who<br>
identified a major flaw with our current
solution. Having firewalld<br>
reload will cause any runtime rules that
were set to be lost. This<br>
should be avoided at all costs.<br>
<br>
Chris suggested using firewalld dbus
commands [1] which could solve<br>
this. We have dbus commands to add/remove
ports from a service<br>
permanently. This is an alternative to
updating the service xml files.<br>
But we don't see a method to update a
service during runtime.<br>
<br>
There are dbus commands to add/remove ports
to zones during runtime.<br>
But this is not useful as we wouldn't know
which zone to apply it to.<br>
One of the reasons we chose to use services
was this.<br>
<br>
So now we have two questions,<br>
1. Is there a way to do a runtime
modification of a firewalld service<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
</div>
</div>
it seems firewalld not supporting for run
time service update, but we can add and remove ports<br>
from zone<span class=""><br>
<blockquote type="cite">
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> 2. If not, is there a
easy way to get active zones, which have our<br>
services enabled and add/remove ports from
them.<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
</span> we can get the services which are
enabled in zone using below command<br>
firewall-cmd --zone=$zone --list-services<br>
I have updated hook script in my patch[1] , it
identify the zones which have gluster services enabled
and it add/remove the port in zone(s) so that we can
avoid <br>
firewall reload. I have tested this script with
different test cases <br>
[1].<a moz-do-not-send="true"
href="http://review.gluster.org/#/c/11989/"
target="_blank">http://review.gluster.org/#/c/11989/</a><span
class=""><br>
<br>
<br>
<blockquote type="cite">
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"> <br>
Thanks.<br>
<br>
Kaushal<br>
<br>
[1] <a moz-do-not-send="true"
href="https://www.mankier.com/5/firewalld.dbus"
rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus</a><br>
[2] <a moz-do-not-send="true"
href="https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service"
rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Gluster-devel mailing list
<a moz-do-not-send="true" href="mailto:Gluster-devel@gluster.org" target="_blank">Gluster-devel@gluster.org</a>
<a moz-do-not-send="true" href="http://www.gluster.org/mailman/listinfo/gluster-devel" target="_blank">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Gluster-devel mailing list
<a moz-do-not-send="true" href="mailto:Gluster-devel@gluster.org" target="_blank">Gluster-devel@gluster.org</a>
<a moz-do-not-send="true" href="http://www.gluster.org/mailman/listinfo/gluster-devel" target="_blank">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
</blockquote>
<br>
</span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>