Bug 1511560

Summary: Disabled inactive firewall
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Lubos Trilety <ltrilety>
Component: web-admin-tendrl-ansibleAssignee: Nishanth Thomas <nthomas>
Status: CLOSED ERRATA QA Contact: Martin Bukatovic <mbukatov>
Severity: high Docs Contact:
Priority: high    
Version: rhgs-3.3CC: abhaumik, bmekala, btotty, dahorak, fbalak, gmollett, japplewh, mbukatov, nthomas, rcyriac, rhinduja, sanandpa, sankarshan, sisharma, ssaha
Target Milestone: ---Keywords: Reopened, Security, ZStream
Target Release: RHGS 3.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tendrl-ansible-1.5.4-2.el7rhgs Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-18 04:39:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1519722    
Bug Blocks: 1460574, 1520343    

Description Lubos Trilety 2017-11-09 15:01:07 UTC 
Description of problem:
Installation of RHGSWA disable firewall on all machines, there's special playbook for doing this in tendrl-ansible.

Version-Release number of selected component (if applicable):
tendrl-ansible-1.5.4-1.el7rhgs.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install RHGSWA
2. Check firewalld service and iptables
3.

Actual results:
firewalld is disabled and inactive, iptables flushed

Expected results:
firewalld should be set instead of stopped and disabled.

Additional info:
Comment 1 RHEL Program Management 2017-11-15 16:42:45 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 37 Martin Bukatovic 2017-12-01 16:34:53 UTC 
(In reply to Rahul Hinduja from comment #35)
> Based on comment 30 to 34 , moving this bug to verified state. Other issues
> will be tracked separately.

I see that this BZ is in VERIFIED state when:

* upstream documenatation for firewall configuration is not finished,
  see BZ 1519237
* description of verification process (eg. comment 17) doesn't refer to
  downstream documentation draft nor specifies firewall configuration used
* qe team doesn't have firewall setup automated via playbook, so that qe
  team can't even run *every test case* (starting when this BZ was moved
  into verified state) with expected firewall setup

For these reason, I'm moving this BZ back in ON_QE and I don't thing we can
move it back to VERIFIED until we:

* reference particular firewall configuration used there
* automate the firewall configuration and make sure every tester uses it
Comment 39 Martin Bukatovic 2017-12-04 10:07:29 UTC 
(In reply to Rejy M Cyriac from comment #38)
> THE ONLY ISSUE TO BE VERIFIED AS RESOLVED AT THIS BZ IS ON THE 'ACT OF
> INSTALLATION OF RHGS WEB ADMINISTRATION DISABLING FIREWALL BY DEFAULT.
> THIS WAS THE ONLY CONCERN RAISED BY PRODUCT SECURITY, AND CONVEYED TO THE
> PRODUCT STAKEHOLDERS TO RESOLVE, BEFORE SHIPPING THE WEB ADMINISTRATION
> COMPONENT.

Ack.

To make this more clear, I reorganized BZs according to your description so that:

* this BZ is blocked by 1519722, because I don't see how we could on one hand
  claim that firewalld should not be disabled, and on the other hand keep a
  workaround which disables the firewalld in suggested installation script
* there is a firewall tracker BZ 1520343, which keeps track of all the other
  firewall BZs for RHGS WA now
* BZs were linked so that's easier to track what depends on what
Comment 40 Rahul Hinduja 2017-12-08 12:06:44 UTC 
> * this BZ is blocked by 1519722, because I don't see how we could on one hand
>   claim that firewalld should not be disabled, and on the other hand keep a
>   workaround which disables the firewalld in suggested installation script

BZ 1519722 is in VERIFIED state now

> * there is a firewall tracker BZ 1520343, which keeps track of all the other
>   firewall BZs for RHGS WA now

This is a tracker bug and to be addressed in subsequent releases. BZ 1520343 is not targeted for 3.3.1 

https://bugzilla.redhat.com/show_bug.cgi?id=1520343#c3
https://bugzilla.redhat.com/show_bug.cgi?id=1460574#c7

> * BZs were linked so that's easier to track what depends on what

Considering these moving the bug to verified state.
Comment 42 errata-xmlrpc 2017-12-18 04:39:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3478