Bug 1107805

Summary: [RFE] Support FirewallD
Product: [Retired] oVirt Reporter: justin.brown1.1@gmail.com <justin.brown>
Component: ovirt-hosted-engine-setupAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED DUPLICATE QA Contact: meital avital <mavital>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.4CC: acathrow, bugs, dfediuck, gklein, iheim, yeylon
Target Milestone: ---   
Target Release: 3.6.0   
Hardware: All   
OS: Linux   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-11 08:11:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description justin.brown1.1@gmail.com 2014-06-10 16:42:32 UTC 
Description of problem:

`hosted-engine --deploy` supports iptables detection and configuration. Since Fedora 18 and RHEL 7, FirewallD is the preferred front-end to iptables. The old iptables-save files are no longer used and manually running iptables commands is dangerous. 


Version-Release number of selected component (if applicable):

3.4


How reproducible:

Always


Steps to Reproduce:
1. Run `hosted-engine --deploy`
2. It will offer to configure iptables but won't use FirewallD.

Expected results:

FirewallD is a great iptables front-end that is now the default on all new Red Hat Linux products (Fedora, RHEL, and CentOS). It needs to be supported. Fallback to iptables is acceptable, but there needs to be an effort to look for FirewallD on the DBus system bus.

Additional info:

The good news is that I have already written 75% of the code for FreeIPA to have FirewallD configuration support with iptables fall-back. The code can mostly be used without modification in oVirt to make things easier.
Comment 1 Sandro Bonazzola 2014-06-11 08:11:46 UTC 

*** This bug has been marked as a duplicate of bug 1075687 ***
Comment 2 Sandro Bonazzola 2014-06-11 08:14:01 UTC 
(In reply to justin.brown1.1 from comment #0)

> The good news is that I have already written 75% of the code for FreeIPA to
> have FirewallD configuration support with iptables fall-back. The code can
> mostly be used without modification in oVirt to make things easier.

That's a good news. See also bug #995362.
We can't add support for firewalld to hosted engine until engine support it.