Bug 768433

Summary: aeolus-configserver-setup iptables changes are not persistent
Product: [Retired] CloudForms Cloud Engine Reporter: James Laska <jlaska>
Component: aeolus-configserverAssignee: Greg Blomquist <gblomqui>
Status: CLOSED CURRENTRELEASE QA Contact: dgao
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, deltacloud-maint, jturner, morazi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-30 17:15:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
configserver.patch none

Description James Laska 2011-12-16 16:17:53 UTC
Created attachment 547863 [details]
configserver.patch

Description of problem:

Following the instructions for setting up a configserver [1], the firewall is adjusted to open up port 443.  The changes made are not persistent. That is, the /etc/sysconfig/iptables file does not allow port#443.  Any reboots of the image will lose firewall settings.

[1] https://www.aeolusproject.org/redmine/projects/audrey/wiki/Configserver_Setup

Version-Release number of selected component (if applicable):
 * aeolus-configserver-0:0.4.2-2.el6.

Steps to Reproduce:
1. Run 'aeolus-configserver-setup'
2. Observe iptables -L output
3. Observe contents of /etc/sysconfig/iptables
  
Actual results:

# iptables -L | grep "\(443\|https\)" 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 

# grep "\(443\|https\)" /etc/sysconfig/iptables
#

Expected results:

# iptables -L | grep "\(443\|https\)" 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 

# grep "\(443\|https\)" /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 


Additional info:

 1. One suggestion was to use lokkit (rather than adding a rule to iptables directly).  However, it was thought that lokkit may produce non-deterministic behavior and should be avoided
 2. Another suggestion involved continuing with the current iptables rule addition, but then save the rules to disk using `service iptables save`.

I'm not a ruby expert, but the attached patch uses suggestion#2 and appears to use the recommended SysV and systemd method for saving the current iptables rules to disk (which also adjusts permissions, backup existing and restorecon etc...).

Comment 1 wes hayutin 2012-01-10 17:11:19 UTC
adding to ce-sprint-next

Comment 2 wes hayutin 2012-01-10 17:14:37 UTC
adding to ce-sprint-next

Comment 3 wes hayutin 2012-01-12 16:36:12 UTC
adding to ce-sprint

Comment 4 wes hayutin 2012-01-12 16:42:23 UTC
removing ce-sprint-next tracker

Comment 5 wes hayutin 2012-01-12 16:44:21 UTC
taking off ce-sprint-next..

Comment 7 dgao 2012-01-18 15:51:40 UTC
[root@deaddonkey ~]# rpm -q aeolus-configserver
aeolus-configserver-0.4.5-2.el6.noarch
[root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
[root@deaddonkey ~]# aeolus-configserver-setup 

This script will help you configure Apache as a proxy for a Config Server.
Typically this is only useful if you are not familiar with Apache
configurations and modules, specifically with mod_proxy, mod_auth_basic, and
mod_ssl.

Also, this configuration tool assumes that you are not currently running Apache
for any purposes on this server.  This configuration tool will create a Named
Virtual Host for *:443.  If this server is currently using Apache to serve
secure pages on port 443, then this tool should not be used.


Do you wish to continue [y/N]: y


Please provide the web application URL where the Config Server is currently
running on this server.  If the Config Server was installed from an RPM, then
this will typically be:

  http://localhost:4567/

The provided URL should be a fully qualified URL, providing the scheme,
hostname, and port:  http://HOSTNAME:PORT/


Enter the application URL [http://localhost:4567/]: 
Root context: /
App URL: http://localhost:4567/
Conductor Auth Key: 611493791229888206785579
Conductor Auth Secret: 9MP9ZfyZKUnxpk6rSOD2MP0YL555nxRu1o2q6ZmJ5LVXwIpi
\n\n*** You need to add this config server information to a ***
*** provider account in conductor.                      ***
running: echo | /usr/bin/puppet --modulepath /usr/share/aeolus-configserver/configure/puppet/modules --external_nodes /tmp/tmp.VuNINdK8Qc --node_terminus exec

notice: /Stage[main]/Apache::Base/Exec[permit-http-networking]/returns: executed successfully
notice: /Stage[main]/Apache::Base/Exec[graceful-apache]: Triggered 'refresh' from 1 events
notice: /File[/var/lib/aeolus-configserver/configs/oauth/611493791229888206785579]/ensure: defined content as '{md5}79b571195cf41dac770c7eedf8785fd1'
notice: Finished catalog run in 49.42 seconds
[root@deaddonkey ~]# 
[root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
[root@deaddonkey ~]# service iptables status | grep "443"
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
[root@deaddonkey ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@deaddonkey ~]# service iptables status | grep "443"
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443