Bug 1057295
Summary: | glusterfs doesn't include firewalld rules | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Richard W.M. Jones <rjones> | |
Component: | build | Assignee: | bugs <bugs> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ||
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.7.0 | CC: | anekkunt, barumuga, bugs, gluster-bugs, joe, jonathansteffan, ndevos, negativo17, rcyriac, riehecky, silas | |
Target Milestone: | --- | Keywords: | EasyFix, Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | glusterfs-3.7.6 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1253967 (view as bug list) | Environment: | ||
Last Closed: | 2015-11-17 05:56:40 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1253967 | |||
Bug Blocks: | 1253774, 1261315, 1261319, 1271752, 1275914 |
Description
Richard W.M. Jones
2014-01-23 19:03:03 UTC
Those rules are not sufficient. The management process (glusterd) uses 24007/tcp and conditionally 24008/tcp if you use rdma. Bricks (glusterfsd) use 49152 *& up*. Additionally a glusterfs process will listen on 38465-38467/tcp for nfs, and 38468 for NLM. NFS also depends on rpcbind/portmap on port 111 and 2049. Without a dbus interface (or some other scripting hook), I just don't see how firewalld can be informed of dynamic port utilization. As community support, we currently recommend disabling firewalld and falling back to iptables managed through tools like puppet. Features that would communicate the port needs through dbus, or some other method, might be good for this but it's not on the roadmap and unlikely to make F20 (in my estimation). To propose a more extended firewalld configuration that includes the required ports, I hope you'll consider submitting your patch through http://www.gluster.org/community/documentation/index.php/Development_Work_Flow GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5. This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs". If there is no response by the end of the month, this bug will get automatically closed. This could potentially be handled with the hooks interface, but the port information would need to be passed to the script. This is low-hanging fruit. Please use bug 1253967 for sending patches to the master branch. This bug has been filed against glusterfs-3.7 and will be used for backporting changes. REVIEW: http://review.gluster.org/12357 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#1) for review on release-3.7 by Anand Nekkunti (anekkunt) REVIEW: http://review.gluster.org/12357 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#2) for review on release-3.7 by Anand Nekkunti (anekkunt) COMMIT: http://review.gluster.org/12357 committed in release-3.7 by Niels de Vos (ndevos) ------ commit 429669168f6e13798c04ad0641909493c213f22e Author: anand <anekkunt> Date: Sat Aug 22 01:09:53 2015 +0530 firewall/spec: Create glusterfs firewall service if firewalld installed. It creates glusterfs firewall service during installation. glusterfs service : It contains all default ports which needs to be opened. During installation glusterfs.xml is copied into firewall service directory(/usr/lib/firewalld/services/). Note: 1.For bricks: It opens the 512 ports, if brick is running out side this range(>49664) then admin need to open the port for that brick. 2.By default this service is not enabled in any of zone. To enable this service(glusterfs) in firewall: 1. Get active zone(s) in node firewall-cmd --get-active-zones 2. Attached this service(glusterfs) to zone(s) firewall-cmd --zone=<zone_name> --add-service=glusterfs --To apply runtime firewall-cmd --permanent --zone=<zone_name> --add-service=glusterfs --To apply permanent Note: we can also use firewall-config which gives GUI to configure firewall. Backport of: >Change-Id: Id97fe620c560fd10599511d751aed11a99ba4da5 >BUG: 1253967 >Signed-off-by: anand <anekkunt> >Reviewed-on: http://review.gluster.org/11989 >Reviewed-by: Niels de Vos <ndevos> >Tested-by: NetBSD Build System <jenkins.org> >Tested-by: Gluster Build System <jenkins.com> >(cherry picked from commit 7f327d3b4f9222995d2ee78862e48ca44c28411c) Change-Id: Iacf44b15ffb176c965c7f3b074065a54cf785dc7 BUG: 1057295 Signed-off-by: anand <anekkunt>; Reviewed-on: http://review.gluster.org/12357 Reviewed-by: Niels de Vos <ndevos> Tested-by: NetBSD Build System <jenkins.org> Tested-by: Gluster Build System <jenkins.com> This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.7.6, please open a new bug report. glusterfs-3.7.6 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://www.gluster.org/pipermail/gluster-users/2015-November/024359.html [2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user |