Bug 773036 - configserver-setup should not add iptable rules if one exists
Summary: configserver-setup should not add iptable rules if one exists
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: CloudForms Cloud Engine
Classification: Retired
Component: aeolus-configserver
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: rc
Assignee: Greg Blomquist
QA Contact: dgao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-10 18:13 UTC by dgao
Modified: 2012-08-30 17:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description dgao 2012-01-10 18:13:32 UTC 
[root@configserver-qe ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 


Otherwise, the result would be multiple rules that opens port 443.
Comment 1 Greg Blomquist 2012-01-16 21:53:33 UTC 
https://github.com/aeolusproject/audrey/commit/7ae4e5988046846d4750839b1c548ac4993e671a
Comment 2 dgao 2012-01-18 20:39:10 UTC 
[root@deaddonkey ~]# rpm -q aeolus-configserver
aeolus-configserver-0.4.5-2.el6.noarch

[root@deaddonkey ~]# service iptables status | grep "443"
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
[root@deaddonkey ~]# aeolus-configserver-setup 

This script will help you configure Apache as a proxy for a Config Server.
Typically this is only useful if you are not familiar with Apache
configurations and modules, specifically with mod_proxy, mod_auth_basic, and
mod_ssl.

Also, this configuration tool assumes that you are not currently running Apache
for any purposes on this server.  This configuration tool will create a Named
Virtual Host for *:443.  If this server is currently using Apache to serve
secure pages on port 443, then this tool should not be used.


Do you wish to continue [y/N]: y


Please provide the web application URL where the Config Server is currently
running on this server.  If the Config Server was installed from an RPM, then
this will typically be:

  http://localhost:4567/

The provided URL should be a fully qualified URL, providing the scheme,
hostname, and port:  http://HOSTNAME:PORT/


Enter the application URL [http://localhost:4567/]: 
Root context: /
App URL: http://localhost:4567/
Conductor Auth Key: 369634961556974483147877
Conductor Auth Secret: H3luihqpCXDCsAGCFnqY72gdGfKwWvL4ZwlklMKfsPF4JJeJ
\n\n*** You need to add this config server information to a ***
*** provider account in conductor.                      ***
running: echo | /usr/bin/puppet --modulepath /usr/share/aeolus-configserver/configure/puppet/modules --external_nodes /tmp/tmp.PJ940hkpc9 --node_terminus exec
notice: /Stage[main]/Apache::Base/Exec[permit-http-networking]/returns: executed successfully
notice: /Stage[main]/Apache::Base/Exec[graceful-apache]: Triggered 'refresh' from 1 events
notice: /File[/var/lib/aeolus-configserver/configs/oauth/369634961556974483147877]/ensure: defined content as '{md5}3ab9f0611a828b1d47072f0f930c55d1'
notice: Finished catalog run in 49.83 seconds
[root@deaddonkey ~]# service iptables status | grep "443"
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443 
[root@deaddonkey ~]# cat /etc/sysconfig/iptables | grep "443"
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
Note You need to log in before you can comment on or make changes to this bug.