Description of problem:
glusterfs(d) is missing firewall rules. As a result it doesn't
work unless you manually configure the firewall, which sucks.
I believe it should work if you drop in the following file:
<?xml version="1.0" encoding="utf-8"?>
<description>Some description here ...</description>
<port port="24007" protocol="tcp" />
<port port="24009" protocol="tcp" />
<port port="24010" protocol="tcp" />
<port port="49152" protocol="tcp" />
Version-Release number of selected component (if applicable):
3.4.2, Fedora 20.
Steps to Reproduce:
Just start up gluster in the default configuration. It's
impossible to use it without consulting lots of contradictory
online documentation about what firewall ports to open up
and then manually reconfiguring the firewall.
Those rules are not sufficient.
The management process (glusterd) uses 24007/tcp and conditionally 24008/tcp if you use rdma.
Bricks (glusterfsd) use 49152 *& up*.
Additionally a glusterfs process will listen on 38465-38467/tcp for nfs, and 38468 for NLM.
NFS also depends on rpcbind/portmap on port 111 and 2049.
Without a dbus interface (or some other scripting hook), I just don't see how firewalld can be informed of dynamic port utilization.
As community support, we currently recommend disabling firewalld and falling back to iptables managed through tools like puppet.
Features that would communicate the port needs through dbus, or some other method, might be good for this but it's not on the roadmap and unlikely to make F20 (in my estimation).
To propose a more extended firewalld configuration that includes the required ports, I hope you'll consider submitting your patch through http://www.gluster.org/community/documentation/index.php/Development_Work_Flow
GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5.
This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "firstname.lastname@example.org".
If there is no response by the end of the month, this bug will get automatically closed.
This could potentially be handled with the hooks interface, but the port information would need to be passed to the script.
This is low-hanging fruit.
Please use bug 1253967 for sending patches to the master branch.
This bug has been filed against glusterfs-3.7 and will be used for backporting changes.
REVIEW: http://review.gluster.org/12357 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#1) for review on release-3.7 by Anand Nekkunti (email@example.com)
REVIEW: http://review.gluster.org/12357 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#2) for review on release-3.7 by Anand Nekkunti (firstname.lastname@example.org)
COMMIT: http://review.gluster.org/12357 committed in release-3.7 by Niels de Vos (email@example.com)
Author: anand <firstname.lastname@example.org>
Date: Sat Aug 22 01:09:53 2015 +0530
firewall/spec: Create glusterfs firewall service if firewalld installed.
It creates glusterfs firewall service during installation.
glusterfs service : It contains all default ports which needs to be opened.
During installation glusterfs.xml is copied into firewall service directory(/usr/lib/firewalld/services/).
1.For bricks: It opens the 512 ports, if brick is running out side this range(>49664) then admin need to open the port
for that brick.
2.By default this service is not enabled in any of zone.
To enable this service(glusterfs) in firewall:
1. Get active zone(s) in node
2. Attached this service(glusterfs) to zone(s)
firewall-cmd --zone=<zone_name> --add-service=glusterfs --To apply runtime
firewall-cmd --permanent --zone=<zone_name> --add-service=glusterfs --To apply permanent
we can also use firewall-config which gives GUI to configure firewall.
>Signed-off-by: anand <email@example.com>
>Reviewed-by: Niels de Vos <firstname.lastname@example.org>
>Tested-by: NetBSD Build System <email@example.com>
>Tested-by: Gluster Build System <firstname.lastname@example.org>
>(cherry picked from commit 7f327d3b4f9222995d2ee78862e48ca44c28411c)
Signed-off-by: anand <email@example.com>;
Reviewed-by: Niels de Vos <firstname.lastname@example.org>
Tested-by: NetBSD Build System <email@example.com>
Tested-by: Gluster Build System <firstname.lastname@example.org>
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.7.6, please open a new bug report.
glusterfs-3.7.6 has been announced on the Gluster mailinglists , packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist  and the update infrastructure for your distribution.