Bug 885483
| Summary: | firewalld service configurations for free ipa | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dean Hunter <deanhunter> |
| Component: | freeipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | abokovoy, gregswift, mkosek, pbrobinson, rcritten, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-01 13:15:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Dean Hunter
2012-12-09 18:02:45 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2110 With the recent updates to firewall-cmd this is what my IPA server installation script looks like:
# Install IPA server
yum install --assumeyes freeipa-server bind bind-dyndb-ldap
ipa-server-install \
--admin-password adminpassword \
--domain hunter.org \
--ds-password dspassword \
--hostname ipa.hunter.org \
--no-forwarders \
--no-ntp \
--realm HUNTER.ORG \
--setup-dns \
--unattended
cat >/etc/firewalld/services/kerberos.xml <<EOD
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>kerberos</short>
<description>Kerberos</description>
<port protocol="tcp" port="88"/>
<port protocol="udp" port="88"/>
</service>
EOD
cat >/etc/firewalld/services/kpasswd.xml <<EOD
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>kpasswd</short>
<description>kpasswd</description>
<port protocol="tcp" port="464"/>
<port protocol="udp" port="464"/>
</service>
EOD
cat >/etc/firewalld/services/ldap.xml <<EOD
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ldap</short>
<description>Lightweight Directory Access Protocol</description>
<port protocol="tcp" port="389"/>
</service>
EOD
cat >/etc/firewalld/services/ldaps.xml <<EOD
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ldaps</short>
<description>Lightweight Directory Access Protocol over SSL</description>
<port protocol="tcp" port="636"/>
</service>
EOD
firewall-cmd --permanent --zone=public --add-service=dns
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-service=kerberos
firewall-cmd --permanent --zone=public --add-service=kpasswd
firewall-cmd --permanent --zone=public --add-service=ldap
firewall-cmd --permanent --zone=public --add-service=ldaps
firewall-cmd --permanent --zone=public --add-service=ntp
firewall-cmd --reload
If you do not want to update the firewall, could you at least provide the service XML files with better descriptions?
Hello Dean, thanks for the example. We do want to update the firewall, it is already suggested in the FreeIPA ticket referred by this ticket. It will be most probably done with the use of firewall-cmd you showed above. It could be run in ipa-{server,replica,client}-install. We just need to create the service xmls in some reliable way so that the files do not clash with other projects.
This ticket is not currently targeted for the next release, I can brought this topic up in our Triage meeting to change its targeting.
However, if you would want to have it in FreeIPA earlier, you may want to consider contributing to the project, patches are always welcome!
Thank you for the update. I am not overly concerned about when the feature is added to the IPA install. I just added the information because I had compiled a list of products for which I had to perform similar actions. I have opened 914859 requesting additional service XML files from the firewalld folks for those services that I found missing. At this point IPA is consistent with other product implementations. In the coming year I hope to learn enough Python so that I might participate, but I am not qualified just yet. Again, thank you for the update and keep up the good work. This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This RFE is still valid for current Fedora version, changing the version field. It appears that firewalld has the service files in Fedora 20+. Not sure when they got added, but seems like someone should mention it. Will add this comment to upstream ticket too. Check #914859 Ah, I see: # ll /usr/lib/firewalld/services/freeipa-* -rw-r-----. 1 root root 836 Oct 14 12:42 /usr/lib/firewalld/services/freeipa-ldaps.xml -rw-r-----. 1 root root 836 Oct 14 12:42 /usr/lib/firewalld/services/freeipa-ldap.xml -rw-r-----. 1 root root 315 Oct 14 12:42 /usr/lib/firewalld/services/freeipa-replication.xml I am not convinced they are completely correct though, for example freeipa-replication.xml is only needed for replication with FreeIPA < 3.1 (i.e. RHEL/CentOS 6.x), the newer FreeIPA versions already replicate PKI information over standard 389 port. Also note that community member already did a first designing work for the FreeIPA feature: http://www.freeipa.org/page/V4/Firewall_Configuration I am certain a number of improvements could be made to the service files I suggested. They were my best guess from the documentation and other information available to me at the time. I was trying to answer the question about when the service files for IPA were included with firewalld. I probably should have been a little more verbose. Best wishes on your continued development of a very fine product. This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If there are more changes required to add to firewalld configuration, please open a new bugzilla to address specific changes. |