Bug 1253967

Summary: glusterfs doesn't include firewalld rules
Product: [Community] GlusterFS Reporter: Niels de Vos <ndevos>
Component: buildAssignee: Satish Mohan <smohan>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: mainlineCC: bugs, jcall, kaushal, rcyriac, riehecky, smohan
Target Milestone: ---Keywords: EasyFix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: glusterfs-3.8rc2 Doc Type: Bug Fix
Doc Text:
Please find doc in link: https://bugzilla.redhat.com/attachment.cgi?id=1071307
 Story Points: ---
Clone Of: 1057295 Environment:
Last Closed: 2016-06-16 13:31:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1057295    
Attachments:
Description Flags
firewalld_doc none

Description Niels de Vos 2015-08-16 06:38:14 UTC 
+++ This bug was initially created as a clone of Bug #1057295 +++
+++                                                           +++
+++ Use this bug to post patches for the master branch.       +++

Description of problem:

glusterfs(d) is missing firewall rules.  As a result it doesn't
work unless you manually configure the firewall, which sucks.

I believe it should work if you drop in the following file:

/usr/lib/firewalld/services/glusterfs.xml

containing:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>glusterfs</short>
  <description>Some description here ...</description>
  <port port="24007" protocol="tcp" />
  <port port="24009" protocol="tcp" />
  <port port="24010" protocol="tcp" />
  <port port="49152" protocol="tcp" />
</service>

Version-Release number of selected component (if applicable):

3.4.2, Fedora 20.

How reproducible:

100%

Steps to Reproduce:

Just start up gluster in the default configuration.  It's
impossible to use it without consulting lots of contradictory
online documentation about what firewall ports to open up
and then manually reconfiguring the firewall.

--- Additional comment from Joe Julian on 2014-01-29 21:46:09 CET ---

Those rules are not sufficient.

The management process (glusterd) uses 24007/tcp and conditionally 24008/tcp if you use rdma.

Bricks (glusterfsd) use 49152 *& up*.

Additionally a glusterfs process will listen on 38465-38467/tcp for nfs, and 38468 for NLM. 

NFS also depends on rpcbind/portmap on port 111 and 2049.

Without a dbus interface (or some other scripting hook), I just don't see how firewalld can be informed of dynamic port utilization.

As community support, we currently recommend disabling firewalld and falling back to iptables managed through tools like puppet.

Features that would communicate the port needs through dbus, or some other method, might be good for this but it's not on the roadmap and unlikely to make F20 (in my estimation).

To propose a more extended firewalld configuration that includes the required ports, I hope you'll consider submitting your patch through http://www.gluster.org/community/documentation/index.php/Development_Work_Flow

--- Additional comment from John Skeoch on 2014-03-31 03:35:19 CEST ---

User vraman's account has been closed

--- Additional comment from Niels de Vos on 2015-05-17 23:57:52 CEST ---

GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5.

This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs".

If there is no response by the end of the month, this bug will get automatically closed.

--- Additional comment from Joe Julian on 2015-05-18 19:17:29 CEST ---

This could potentially be handled with the hooks interface, but the port information would need to be passed to the script.

This is low-hanging fruit.
Comment 1 Anand Avati 2015-08-23 10:28:42 UTC 
REVIEW: http://review.gluster.org/11989 (Glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#1) for review on master by Anand Nekkunti (anekkunt)
Comment 2 Anand Avati 2015-08-25 03:49:19 UTC 
REVIEW: http://review.gluster.org/11989 (Glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#2) for review on master by Anand Nekkunti (anekkunt)
Comment 3 Anand Avati 2015-08-25 08:42:15 UTC 
REVIEW: http://review.gluster.org/11989 (Glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#3) for review on master by Anand Nekkunti (anekkunt)
Comment 4 Anand Avati 2015-08-27 11:06:13 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#4) for review on master by Anand Nekkunti (anekkunt)
Comment 5 Anand Avati 2015-08-29 19:05:40 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#5) for review on master by Anand Nekkunti (anekkunt)
Comment 6 Anand Avati 2015-08-31 04:34:35 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#6) for review on master by Anand Nekkunti (anekkunt)
Comment 7 Kaushal 2015-08-31 11:12:45 UTC 
We are working on a solution for this.

The solution in it's current state is as follows,
- We ship a new package glusterfs-firewalld for fedora and centos7. This package contains firewalld configuration (in the form of firewalld services)to open ports required by GlusterFS and a couple of hook scripts which keep the firewalld configuration updated. Two service configurations will be shipped.
  - glusterfs-static - which contains the static glusterfs ports
  - glusterfs-dynamic - which contains the variable brick ports and is kept updated by the hook scripts


- The hook scripts will be run when a brick is started (or stopped). The hook scripts will add (or remove) the brick port into (from) the firewalld configuration, and perform a firewalld reload, to have firewalld reload the updated services. Changes are required in GlusterD to provide the hook scripts with the ports.

- The user needs to only enable the glusterfs firewalld services on the network of their choice to open up the required ports.
  - As an additional goal, we could also provide a glusterfs firewalld zone, which enables all the firewalld services required by glusterfs (nfs, swift, ssh etc.). This can make it even simpler for a user to enable all the firewall rules required for running glusterfs.
Comment 8 Kaushal 2015-08-31 11:49:17 UTC 
I've started a discussion with the firewalld developers to validate our approach.
http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/12404
https://lists.fedorahosted.org/pipermail/firewalld-devel/2015-August/000189.html
Comment 9 Vijay Bellur 2015-09-02 17:19:11 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#8) for review on master by Anand Nekkunti (anekkunt)
Comment 10 Vijay Bellur 2015-09-03 06:03:11 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Create static and dynamic services if firewalld installed.) posted (#9) for review on master by Anand Nekkunti (anekkunt)
Comment 11 Vijay Bellur 2015-09-04 03:37:06 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Create static and dynamic services if firewalld installed.) posted (#10) for review on master by Anand Nekkunti (anekkunt)
Comment 12 Kaushal 2015-09-07 04:04:32 UTC 
Firewalld doesn't have a way to dynamically change a service in runtime, without side-effects. The solution proposed in comment#7 causes, firewalld to reload it's runtime configuration, which as a side-effect leads to any runtime changes done to be lost.

So for now, the best approach IMO is to statically open up a range of ports for the bricks.

An RFE will be filed with firewalld to get support for runtime modification of service.
Comment 13 Vijay Bellur 2015-09-08 03:25:02 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Create glusterfs firewall service if firewalld installed.) posted (#11) for review on master by Anand Nekkunti (anekkunt)
Comment 14 Vijay Bellur 2015-09-08 03:26:10 UTC 
REVIEW: http://review.gluster.org/11989 (glusterd: Create glusterfs firewall service if firewalld installed.) posted (#12) for review on master by Anand Nekkunti (anekkunt)
Comment 15 Vijay Bellur 2015-09-08 09:01:59 UTC 
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#13) for review on master by Anand Nekkunti (anekkunt)
Comment 16 Vijay Bellur 2015-09-08 10:28:38 UTC 
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#14) for review on master by Anand Nekkunti (anekkunt)
Comment 17 Anand Nekkunti 2015-09-08 11:55:36 UTC 
Created attachment 1071307 [details]
firewalld_doc
Comment 18 Vijay Bellur 2015-09-09 09:29:26 UTC 
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#15) for review on master by Anand Nekkunti (anekkunt)
Comment 19 Vijay Bellur 2015-09-09 11:20:36 UTC 
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#16) for review on master by Anand Nekkunti (anekkunt)
Comment 20 Vijay Bellur 2015-09-09 14:24:50 UTC 
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#18) for review on master by Anand Nekkunti (anekkunt)
Comment 21 Vijay Bellur 2015-09-09 14:27:26 UTC 
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#19) for review on master by Anand Nekkunti (anekkunt)
Comment 24 Niels de Vos 2016-06-16 13:31:51 UTC 
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.8.0, please open a new bug report.

glusterfs-3.8.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://blog.gluster.org/2016/06/glusterfs-3-8-released/
[2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user