Bug 1110711

Summary: Open Cockpit port by default on Fedora Server
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: adamw+bugzillatest, awilliam, jpopelka, sgallagh, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-11 09:48:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1091301, 1108258    

Description Stef Walter 2014-06-18 10:07:36 UTC
The Cockpit port 1001 should be open by default on a freshly installed Fedora 21 Server, according to the release criteria for Fedora Server.

Comment 1 Stef Walter 2014-06-18 10:07:54 UTC
The component of this may need to be tweaked? Does the default firewall come from anaconda? How does Fedora Server differentiate its firewall?

Comment 2 Stephen Gallagher 2014-06-18 11:54:34 UTC
As an additional note, we may want to change this port to something we can get reserved for Cockpit's use with IANA. This would help us avoid future conflicts. The problem of course is finding an unused-but-memorable port.

The other idea that struck me just now would be to make it "Dealer's Choice": set Cockpit up to run on port 80/443 at initial boot and allow users to configure it to a port of their choice after that.

Comment 3 Thomas Woerner 2014-06-18 12:25:00 UTC
The default firewalld configuration is provided by firewalld, but anaconda is enabling the ssh service in the default zone of firewalld - if it is not enabled already. Additionally anaconda is changing the default zone according to the firewall configuration in kickstart installations.

For Cockpit I would suggest to provide a service configuration file for firewalld with the proper port to be able to add it for example at installation time. It would also be possible to provide a special zone with all the needed things added for the use in the server. Or to provide a set of zones for the server that are replacing the upstream zone files.

If Cockpit is using port 80 or 443, we can simply use the http and https services that are already available in firewalld.

Comment 4 Adam Williamson 2014-06-18 22:33:05 UTC
Just as a note: I'd be more comfortable if the initial report read "according to the Fedora Server product design". The release criteria are a mechanism for doing quality assurance on a product, they are not an aspect of product design.

Comment 5 Stef Walter 2014-06-27 12:23:52 UTC
Upstream Cockpit firewall service definition is here: https://github.com/cockpit-project/cockpit/pull/806

Comment 6 Thomas Woerner 2014-07-07 17:28:07 UTC
firewalld-0.3.10-3: Added new fedora-server zone with cockpit enabled.

Comment 7 Thomas Woerner 2014-07-11 09:48:56 UTC
Fixed in rawhide in package firewalld-0.3.10-3 or newer.