Created attachment 547863 [details] configserver.patch Description of problem: Following the instructions for setting up a configserver [1], the firewall is adjusted to open up port 443. The changes made are not persistent. That is, the /etc/sysconfig/iptables file does not allow port#443. Any reboots of the image will lose firewall settings. [1] https://www.aeolusproject.org/redmine/projects/audrey/wiki/Configserver_Setup Version-Release number of selected component (if applicable): * aeolus-configserver-0:0.4.2-2.el6. Steps to Reproduce: 1. Run 'aeolus-configserver-setup' 2. Observe iptables -L output 3. Observe contents of /etc/sysconfig/iptables Actual results: # iptables -L | grep "\(443\|https\)" ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https # grep "\(443\|https\)" /etc/sysconfig/iptables # Expected results: # iptables -L | grep "\(443\|https\)" ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https # grep "\(443\|https\)" /etc/sysconfig/iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT Additional info: 1. One suggestion was to use lokkit (rather than adding a rule to iptables directly). However, it was thought that lokkit may produce non-deterministic behavior and should be avoided 2. Another suggestion involved continuing with the current iptables rule addition, but then save the rules to disk using `service iptables save`. I'm not a ruby expert, but the attached patch uses suggestion#2 and appears to use the recommended SysV and systemd method for saving the current iptables rules to disk (which also adjusts permissions, backup existing and restorecon etc...).
adding to ce-sprint-next
adding to ce-sprint
removing ce-sprint-next tracker
taking off ce-sprint-next..
https://github.com/aeolusproject/audrey/commit/7ae4e5988046846d4750839b1c548ac4993e671a
[root@deaddonkey ~]# rpm -q aeolus-configserver aeolus-configserver-0.4.5-2.el6.noarch [root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443" -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT [root@deaddonkey ~]# aeolus-configserver-setup This script will help you configure Apache as a proxy for a Config Server. Typically this is only useful if you are not familiar with Apache configurations and modules, specifically with mod_proxy, mod_auth_basic, and mod_ssl. Also, this configuration tool assumes that you are not currently running Apache for any purposes on this server. This configuration tool will create a Named Virtual Host for *:443. If this server is currently using Apache to serve secure pages on port 443, then this tool should not be used. Do you wish to continue [y/N]: y Please provide the web application URL where the Config Server is currently running on this server. If the Config Server was installed from an RPM, then this will typically be: http://localhost:4567/ The provided URL should be a fully qualified URL, providing the scheme, hostname, and port: http://HOSTNAME:PORT/ Enter the application URL [http://localhost:4567/]: Root context: / App URL: http://localhost:4567/ Conductor Auth Key: 611493791229888206785579 Conductor Auth Secret: 9MP9ZfyZKUnxpk6rSOD2MP0YL555nxRu1o2q6ZmJ5LVXwIpi \n\n*** You need to add this config server information to a *** *** provider account in conductor. *** running: echo | /usr/bin/puppet --modulepath /usr/share/aeolus-configserver/configure/puppet/modules --external_nodes /tmp/tmp.VuNINdK8Qc --node_terminus exec notice: /Stage[main]/Apache::Base/Exec[permit-http-networking]/returns: executed successfully notice: /Stage[main]/Apache::Base/Exec[graceful-apache]: Triggered 'refresh' from 1 events notice: /File[/var/lib/aeolus-configserver/configs/oauth/611493791229888206785579]/ensure: defined content as '{md5}79b571195cf41dac770c7eedf8785fd1' notice: Finished catalog run in 49.42 seconds [root@deaddonkey ~]# [root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443" -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT [root@deaddonkey ~]# service iptables status | grep "443" 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 [root@deaddonkey ~]# service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] [root@deaddonkey ~]# service iptables status | grep "443" 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443