Bug 1511560 - Disabled inactive firewall
Summary: Disabled inactive firewall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: web-admin-tendrl-ansible
Version: rhgs-3.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: RHGS 3.3.1
Assignee: Nishanth Thomas
QA Contact: Martin Bukatovic
URL:
Whiteboard:
Depends On: 1519722
Blocks: 1460574 1520343
TreeView+ depends on / blocked
 
Reported: 2017-11-09 15:01 UTC by Lubos Trilety
Modified: 2017-12-18 04:39 UTC (History)
15 users (show)

Fixed In Version: tendrl-ansible-1.5.4-2.el7rhgs
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-18 04:39:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3478 normal SHIPPED_LIVE RHGS Web Administration packages 2017-12-18 09:34:49 UTC
Github Tendrl tendrl-ansible issues 49 None None None 2017-11-09 15:01:06 UTC
Red Hat Bugzilla 1520343 None None None Never

Internal Links: 1520343

Description Lubos Trilety 2017-11-09 15:01:07 UTC
Description of problem:
Installation of RHGSWA disable firewall on all machines, there's special playbook for doing this in tendrl-ansible.

Version-Release number of selected component (if applicable):
tendrl-ansible-1.5.4-1.el7rhgs.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install RHGSWA
2. Check firewalld service and iptables
3.

Actual results:
firewalld is disabled and inactive, iptables flushed

Expected results:
firewalld should be set instead of stopped and disabled.

Additional info:

Comment 1 RHEL Product and Program Management 2017-11-15 16:42:45 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Comment 37 Martin Bukatovic 2017-12-01 16:34:53 UTC
(In reply to Rahul Hinduja from comment #35)
> Based on comment 30 to 34 , moving this bug to verified state. Other issues
> will be tracked separately.

I see that this BZ is in VERIFIED state when:

* upstream documenatation for firewall configuration is not finished,
  see BZ 1519237
* description of verification process (eg. comment 17) doesn't refer to
  downstream documentation draft nor specifies firewall configuration used
* qe team doesn't have firewall setup automated via playbook, so that qe
  team can't even run *every test case* (starting when this BZ was moved
  into verified state) with expected firewall setup

For these reason, I'm moving this BZ back in ON_QE and I don't thing we can
move it back to VERIFIED until we:

* reference particular firewall configuration used there
* automate the firewall configuration and make sure every tester uses it

Comment 39 Martin Bukatovic 2017-12-04 10:07:29 UTC
(In reply to Rejy M Cyriac from comment #38)
> THE ONLY ISSUE TO BE VERIFIED AS RESOLVED AT THIS BZ IS ON THE 'ACT OF
> INSTALLATION OF RHGS WEB ADMINISTRATION DISABLING FIREWALL BY DEFAULT.
> THIS WAS THE ONLY CONCERN RAISED BY PRODUCT SECURITY, AND CONVEYED TO THE
> PRODUCT STAKEHOLDERS TO RESOLVE, BEFORE SHIPPING THE WEB ADMINISTRATION
> COMPONENT.

Ack.

To make this more clear, I reorganized BZs according to your description so that:

* this BZ is blocked by 1519722, because I don't see how we could on one hand
  claim that firewalld should not be disabled, and on the other hand keep a
  workaround which disables the firewalld in suggested installation script
* there is a firewall tracker BZ 1520343, which keeps track of all the other
  firewall BZs for RHGS WA now
* BZs were linked so that's easier to track what depends on what

Comment 40 Rahul Hinduja 2017-12-08 12:06:44 UTC
> * this BZ is blocked by 1519722, because I don't see how we could on one hand
>   claim that firewalld should not be disabled, and on the other hand keep a
>   workaround which disables the firewalld in suggested installation script

BZ 1519722 is in VERIFIED state now

> * there is a firewall tracker BZ 1520343, which keeps track of all the other
>   firewall BZs for RHGS WA now

This is a tracker bug and to be addressed in subsequent releases. BZ 1520343 is not targeted for 3.3.1 

https://bugzilla.redhat.com/show_bug.cgi?id=1520343#c3
https://bugzilla.redhat.com/show_bug.cgi?id=1460574#c7

> * BZs were linked so that's easier to track what depends on what

Considering these moving the bug to verified state.

Comment 42 errata-xmlrpc 2017-12-18 04:39:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3478


Note You need to log in before you can comment on or make changes to this bug.