<div dir="ltr">Where do you add the services to the zone? I couldn't find that in your code...</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:small"><span style="font-size:12.8000001907349px">Christopher Blum</span><br></div><div style="font-size:small">Associate Storage Consultant</div><div style="font-size:small">Global Storage Consulting, Red Hat</div><div style="font-size:small"><br></div><div style="font-size:small"><a href="tel:%2B49%20711%2096%2043%207009" value="+4971196437009" style="color:rgb(17,85,204);font-size:12.8000001907349px" target="_blank">+49 711 96 43 7009</a></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Sep 4, 2015 at 5:37 AM, Anand Nekkunti <span dir="ltr"><<a href="mailto:anekkunt@redhat.com" target="_blank">anekkunt@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
see comments below<div><div class="h5"><br>
<br>
<div>On 09/01/2015 02:47 PM, Anand Nekkunti
wrote:<br>
</div>
<blockquote type="cite">
Hi All<br>
From firewalld doc and my experiments , I understood that we don't
have any option to add/remove port to/from service
runtime/permanent (this can double for zone) . The only way is
modifying service xml file but it requires firewall reload (which
cause the loosing run time settings).<br>
Is there any way to reload firewall without loosing run
time settings or is there any way to reload particular service.<br>
<br>
Regards<br>
Anand.N<br>
<br>
<div>On 09/01/2015 12:49 PM, Christopher
Blum wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">There is a function in the d-bus interface:
<div>
<p>getZoneOfInterface(s:
interface) → s</p>
</div>
<div>that will return the current zone of the interface and
you can then add ports to that interface.</div>
<div>As far as I see it, the hooks get only executed when I
start the volume, right? So when I created and started the
volume, but then change the zone of the interface, we need
to detect that (I guess it would be enough to handle that on
reboot) and move the ports/services to the new zone.</div>
<div><br>
</div>
<div>Regarding Org.fedoraproject.firewalld1.config.service - I
think that would need additional tests if that is really
only for the persistent config, or if the changes are also
applied in the running config.</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div style="font-size:small"><span style="font-size:12.8000001907349px">Christopher
Blum</span><br>
</div>
<div style="font-size:small">Associate
Storage Consultant</div>
<div style="font-size:small">Global Storage
Consulting, Red Hat</div>
<div style="font-size:small"><br>
</div>
<div style="font-size:small"><a href="tel:%2B49%20711%2096%2043%207009" value="+4971196437009" style="color:rgb(17,85,204);font-size:12.8000001907349px" target="_blank">+49 711 96 43 7009</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Tue, Sep 1, 2015 at 8:58 AM,
Kaushal M <span dir="ltr"><<a href="mailto:kshlmster@gmail.com" target="_blank">kshlmster@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>On Mon, Aug 31, 2015 at 5:15 PM, Kaushal
M <<a href="mailto:kshlmster@gmail.com" target="_blank">kshlmster@gmail.com</a>>
wrote:<br>
> Hi all,<br>
><br>
> I wanted know if there is any existing
information on how to manage<br>
> dynamically changing services using firewalld. If
there are none<br>
> existing, could you please let us know if the
approach we're following<br>
> below is correct.<br>
><br>
> We want to provide firewalld service
configuration for GlusterFS. One<br>
> of the properties of GlusterFS is that it has a
set of fixed ports,<br>
> and a set of dynamic ports, which need to be
opened.<br>
><br>
> We propose to ship 2 firewalld services with
GlusterFS.<br>
> - glusterfs-static - This contains the list of
static ports that<br>
> should be opened up. This is placed in
/usr/lib/firewalld/services<br>
> - glusterfs-dynamic - This will contain the list
of dynamic ports.<br>
> This will be shipped empty, and be placed in
/etc/firewalld/services .<br>
> The ports in this service will be kept updated by
a couple of scripts,<br>
> which hook into the glusterfs start/stop events.<br>
><br>
> The scripts, add or remove ports from the
glusterfs-dyanmic.xml file,<br>
> and call `firewall-cmd --reload` to have
firewalld reload<br>
> configuration. We do it this way, instead of
using a dbus call because<br>
> we want the configuration to be persisted, and
also applied live.<br>
><br>
> We've tested this, and this works. But we'd like
to validate this<br>
> solution with you guys.<br>
><br>
> Do you see any issues with our approach? Is there
anything we could do<br>
> to improve the solution.<br>
><br>
> For reference, the glusterfs bug and proposed
solution are available<br>
> at [1] and [2].<br>
><br>
> Thanks.<br>
><br>
> Kaushal<br>
><br>
> [1] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1253967" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1253967</a><br>
> [2] <a href="http://review.gluster.org/11989" rel="noreferrer" target="_blank">http://review.gluster.org/11989</a><br>
><br>
> PS: Apologies if I should have posted this to the
users list instead.<br>
<br>
</div>
</div>
I've had a private conversation with Christopher Blum
(CCd), who<br>
identified a major flaw with our current solution. Having
firewalld<br>
reload will cause any runtime rules that were set to be
lost. This<br>
should be avoided at all costs.<br>
<br>
Chris suggested using firewalld dbus commands [1] which
could solve<br>
this. We have dbus commands to add/remove ports from a
service<br>
permanently. This is an alternative to updating the
service xml files.<br>
But we don't see a method to update a service during
runtime.<br>
<br>
There are dbus commands to add/remove ports to zones
during runtime.<br>
But this is not useful as we wouldn't know which zone to
apply it to.<br>
One of the reasons we chose to use services was this.<br>
<br>
So now we have two questions,<br>
1. Is there a way to do a runtime modification of a
firewalld service<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote></div></div>
it seems firewalld not supporting for run time service
update, but we can add and remove ports<br>
from zone<span class=""><br>
<blockquote type="cite">
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> 2. If
not, is there a easy way to get active zones, which have
our<br>
services enabled and add/remove ports from them.<br>
</blockquote>
</div>
</div>
</blockquote>
</blockquote></span>
we can get the services which are enabled in zone using
below command<br>
firewall-cmd --zone=$zone --list-services<br>
I have updated hook script in my patch[1] , it identify
the zones which have gluster services enabled and it add/remove the
port in zone(s) so that we can avoid <br>
firewall reload. I have tested this script with different
test cases <br>
[1].<a href="http://review.gluster.org/#/c/11989/" target="_blank">http://review.gluster.org/#/c/11989/</a><span class=""><br>
<br>
<br>
<blockquote type="cite">
<blockquote type="cite">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
Thanks.<br>
<br>
Kaushal<br>
<br>
[1] <a href="https://www.mankier.com/5/firewalld.dbus" rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus</a><br>
[2] <a href="https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service" rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Gluster-devel mailing list
<a href="mailto:Gluster-devel@gluster.org" target="_blank">Gluster-devel@gluster.org</a>
<a href="http://www.gluster.org/mailman/listinfo/gluster-devel" target="_blank">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Gluster-devel mailing list
<a href="mailto:Gluster-devel@gluster.org" target="_blank">Gluster-devel@gluster.org</a>
<a href="http://www.gluster.org/mailman/listinfo/gluster-devel" target="_blank">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
</blockquote>
<br>
</span></div>
</blockquote></div><br></div>