Bug 1057295 - glusterfs doesn't include firewalld rules
Summary: glusterfs doesn't include firewalld rules
Alias: None
Product: GlusterFS
Classification: Community
Component: build
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: bugs@gluster.org
QA Contact:
Depends On: 1253967
Blocks: 1253774 1261315 1261319 1271752 glusterfs-3.7.6
TreeView+ depends on / blocked
Reported: 2014-01-23 19:03 UTC by Richard W.M. Jones
Modified: 2016-03-21 09:13 UTC (History)
11 users (show)

Fixed In Version: glusterfs-3.7.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1253967 (view as bug list)
Last Closed: 2015-11-17 05:56:40 UTC
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1253774 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: 1253774

Description Richard W.M. Jones 2014-01-23 19:03:03 UTC
Description of problem:

glusterfs(d) is missing firewall rules.  As a result it doesn't
work unless you manually configure the firewall, which sucks.

I believe it should work if you drop in the following file:



<?xml version="1.0" encoding="utf-8"?>
  <description>Some description here ...</description>
  <port port="24007" protocol="tcp" />
  <port port="24009" protocol="tcp" />
  <port port="24010" protocol="tcp" />
  <port port="49152" protocol="tcp" />

Version-Release number of selected component (if applicable):

3.4.2, Fedora 20.

How reproducible:


Steps to Reproduce:

Just start up gluster in the default configuration.  It's
impossible to use it without consulting lots of contradictory
online documentation about what firewall ports to open up
and then manually reconfiguring the firewall.

Comment 1 Joe Julian 2014-01-29 20:46:09 UTC
Those rules are not sufficient.

The management process (glusterd) uses 24007/tcp and conditionally 24008/tcp if you use rdma.

Bricks (glusterfsd) use 49152 *& up*.

Additionally a glusterfs process will listen on 38465-38467/tcp for nfs, and 38468 for NLM. 

NFS also depends on rpcbind/portmap on port 111 and 2049.

Without a dbus interface (or some other scripting hook), I just don't see how firewalld can be informed of dynamic port utilization.

As community support, we currently recommend disabling firewalld and falling back to iptables managed through tools like puppet.

Features that would communicate the port needs through dbus, or some other method, might be good for this but it's not on the roadmap and unlikely to make F20 (in my estimation).

To propose a more extended firewalld configuration that includes the required ports, I hope you'll consider submitting your patch through http://www.gluster.org/community/documentation/index.php/Development_Work_Flow

Comment 3 Niels de Vos 2015-05-17 21:57:52 UTC
GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5.

This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs@gluster.org".

If there is no response by the end of the month, this bug will get automatically closed.

Comment 4 Joe Julian 2015-05-18 17:17:29 UTC
This could potentially be handled with the hooks interface, but the port information would need to be passed to the script.

This is low-hanging fruit.

Comment 5 Niels de Vos 2015-08-16 06:40:06 UTC
Please use bug 1253967 for sending patches to the master branch.

This bug has been filed against glusterfs-3.7 and will be used for backporting changes.

Comment 6 Vijay Bellur 2015-10-14 08:49:22 UTC
REVIEW: http://review.gluster.org/12357 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#1) for review on release-3.7 by Anand Nekkunti (anekkunt@redhat.com)

Comment 7 Vijay Bellur 2015-10-15 16:08:40 UTC
REVIEW: http://review.gluster.org/12357 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#2) for review on release-3.7 by Anand Nekkunti (anekkunt@redhat.com)

Comment 8 Vijay Bellur 2015-10-15 22:53:12 UTC
COMMIT: http://review.gluster.org/12357 committed in release-3.7 by Niels de Vos (ndevos@redhat.com) 
commit 429669168f6e13798c04ad0641909493c213f22e
Author: anand <anekkunt@redhat.com>
Date:   Sat Aug 22 01:09:53 2015 +0530

    firewall/spec: Create glusterfs firewall service if firewalld installed.
    It creates glusterfs firewall service during installation.
    glusterfs service : It contains all default ports which needs to be opened.
    During installation  glusterfs.xml is copied into firewall service directory(/usr/lib/firewalld/services/).
    1.For bricks: It opens the 512 ports, if brick is running out side this range(>49664) then admin need to open the port
    for that brick.
    2.By default this service is not enabled in any of zone.
    To enable this service(glusterfs) in firewall:
    1. Get active zone(s) in node
         firewall-cmd  --get-active-zones
    2. Attached this service(glusterfs) to zone(s)
       firewall-cmd  --zone=<zone_name>  --add-service=glusterfs               --To apply runtime
       firewall-cmd  --permanent  --zone=<zone_name>  --add-service=glusterfs  --To apply permanent
      we can also use firewall-config which gives GUI to configure firewall.
    Backport of:
    >Change-Id: Id97fe620c560fd10599511d751aed11a99ba4da5
    >BUG: 1253967
    >Signed-off-by: anand <anekkunt@redhat.com>
    >Reviewed-on: http://review.gluster.org/11989
    >Reviewed-by: Niels de Vos <ndevos@redhat.com>
    >Tested-by: NetBSD Build System <jenkins@build.gluster.org>
    >Tested-by: Gluster Build System <jenkins@build.gluster.com>
    >(cherry picked from commit 7f327d3b4f9222995d2ee78862e48ca44c28411c)
    Change-Id: Iacf44b15ffb176c965c7f3b074065a54cf785dc7
    BUG: 1057295
    Signed-off-by: anand <anekkunt@redhat.com>;
    Reviewed-on: http://review.gluster.org/12357
    Reviewed-by: Niels de Vos <ndevos@redhat.com>
    Tested-by: NetBSD Build System <jenkins@build.gluster.org>
    Tested-by: Gluster Build System <jenkins@build.gluster.com>

Comment 9 Raghavendra Talur 2015-11-17 05:56:40 UTC
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.7.6, please open a new bug report.

glusterfs-3.7.6 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution.

[1] http://www.gluster.org/pipermail/gluster-users/2015-November/024359.html
[2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user

Note You need to log in before you can comment on or make changes to this bug.