Bug 768433 - aeolus-configserver-setup iptables changes are not persistent
Summary: aeolus-configserver-setup iptables changes are not persistent
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: CloudForms Cloud Engine
Classification: Retired
Component: aeolus-configserver
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
Assignee: Greg Blomquist
QA Contact: dgao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-16 16:17 UTC by James Laska
Modified: 2013-09-02 06:58 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-08-30 17:15:51 UTC
Embargoed:

Attachments (Terms of Use)
configserver.patch (678 bytes, patch)
2011-12-16 16:17 UTC, James Laska 		no flags Details | Diff
View All

Description James Laska 2011-12-16 16:17:53 UTC 
Created attachment 547863 [details]
configserver.patch

Description of problem:

Following the instructions for setting up a configserver [1], the firewall is adjusted to open up port 443.  The changes made are not persistent. That is, the /etc/sysconfig/iptables file does not allow port#443.  Any reboots of the image will lose firewall settings.

[1] https://www.aeolusproject.org/redmine/projects/audrey/wiki/Configserver_Setup

Version-Release number of selected component (if applicable):
 * aeolus-configserver-0:0.4.2-2.el6.

Steps to Reproduce:
1. Run 'aeolus-configserver-setup'
2. Observe iptables -L output
3. Observe contents of /etc/sysconfig/iptables
  
Actual results:

# iptables -L | grep "\(443\|https\)" 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 

# grep "\(443\|https\)" /etc/sysconfig/iptables
#

Expected results:

# iptables -L | grep "\(443\|https\)" 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 

# grep "\(443\|https\)" /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 


Additional info:

 1. One suggestion was to use lokkit (rather than adding a rule to iptables directly).  However, it was thought that lokkit may produce non-deterministic behavior and should be avoided
 2. Another suggestion involved continuing with the current iptables rule addition, but then save the rules to disk using `service iptables save`.

I'm not a ruby expert, but the attached patch uses suggestion#2 and appears to use the recommended SysV and systemd method for saving the current iptables rules to disk (which also adjusts permissions, backup existing and restorecon etc...).
Comment 1 wes hayutin 2012-01-10 17:11:19 UTC 
adding to ce-sprint-next
Comment 2 wes hayutin 2012-01-10 17:14:37 UTC 
adding to ce-sprint-next
Comment 3 wes hayutin 2012-01-12 16:36:12 UTC 
adding to ce-sprint
Comment 4 wes hayutin 2012-01-12 16:42:23 UTC 
removing ce-sprint-next tracker
Comment 5 wes hayutin 2012-01-12 16:44:21 UTC 
taking off ce-sprint-next..
Comment 6 Greg Blomquist 2012-01-16 21:52:57 UTC 
https://github.com/aeolusproject/audrey/commit/7ae4e5988046846d4750839b1c548ac4993e671a
Comment 7 dgao 2012-01-18 15:51:40 UTC 
[root@deaddonkey ~]# rpm -q aeolus-configserver
aeolus-configserver-0.4.5-2.el6.noarch
[root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
[root@deaddonkey ~]# aeolus-configserver-setup 

This script will help you configure Apache as a proxy for a Config Server.
Typically this is only useful if you are not familiar with Apache
configurations and modules, specifically with mod_proxy, mod_auth_basic, and
mod_ssl.

Also, this configuration tool assumes that you are not currently running Apache
for any purposes on this server.  This configuration tool will create a Named
Virtual Host for *:443.  If this server is currently using Apache to serve
secure pages on port 443, then this tool should not be used.


Do you wish to continue [y/N]: y


Please provide the web application URL where the Config Server is currently
running on this server.  If the Config Server was installed from an RPM, then
this will typically be:

  http://localhost:4567/

The provided URL should be a fully qualified URL, providing the scheme,
hostname, and port:  http://HOSTNAME:PORT/


Enter the application URL [http://localhost:4567/]: 
Root context: /
App URL: http://localhost:4567/
Conductor Auth Key: 611493791229888206785579
Conductor Auth Secret: 9MP9ZfyZKUnxpk6rSOD2MP0YL555nxRu1o2q6ZmJ5LVXwIpi
\n\n*** You need to add this config server information to a ***
*** provider account in conductor.                      ***
running: echo | /usr/bin/puppet --modulepath /usr/share/aeolus-configserver/configure/puppet/modules --external_nodes /tmp/tmp.VuNINdK8Qc --node_terminus exec

notice: /Stage[main]/Apache::Base/Exec[permit-http-networking]/returns: executed successfully
notice: /Stage[main]/Apache::Base/Exec[graceful-apache]: Triggered 'refresh' from 1 events
notice: /File[/var/lib/aeolus-configserver/configs/oauth/611493791229888206785579]/ensure: defined content as '{md5}79b571195cf41dac770c7eedf8785fd1'
notice: Finished catalog run in 49.42 seconds
[root@deaddonkey ~]# 
[root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443" 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT 
[root@deaddonkey ~]# service iptables status | grep "443"
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
[root@deaddonkey ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@deaddonkey ~]# service iptables status | grep "443"
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
Note You need to log in before you can comment on or make changes to this bug.