+++ This bug was initially created as a clone of Bug #1057295 +++ +++ +++ +++ Use this bug to post patches for the master branch. +++ Description of problem: glusterfs(d) is missing firewall rules. As a result it doesn't work unless you manually configure the firewall, which sucks. I believe it should work if you drop in the following file: /usr/lib/firewalld/services/glusterfs.xml containing: <?xml version="1.0" encoding="utf-8"?> <service> <short>glusterfs</short> <description>Some description here ...</description> <port port="24007" protocol="tcp" /> <port port="24009" protocol="tcp" /> <port port="24010" protocol="tcp" /> <port port="49152" protocol="tcp" /> </service> Version-Release number of selected component (if applicable): 3.4.2, Fedora 20. How reproducible: 100% Steps to Reproduce: Just start up gluster in the default configuration. It's impossible to use it without consulting lots of contradictory online documentation about what firewall ports to open up and then manually reconfiguring the firewall. --- Additional comment from Joe Julian on 2014-01-29 21:46:09 CET --- Those rules are not sufficient. The management process (glusterd) uses 24007/tcp and conditionally 24008/tcp if you use rdma. Bricks (glusterfsd) use 49152 *& up*. Additionally a glusterfs process will listen on 38465-38467/tcp for nfs, and 38468 for NLM. NFS also depends on rpcbind/portmap on port 111 and 2049. Without a dbus interface (or some other scripting hook), I just don't see how firewalld can be informed of dynamic port utilization. As community support, we currently recommend disabling firewalld and falling back to iptables managed through tools like puppet. Features that would communicate the port needs through dbus, or some other method, might be good for this but it's not on the roadmap and unlikely to make F20 (in my estimation). To propose a more extended firewalld configuration that includes the required ports, I hope you'll consider submitting your patch through http://www.gluster.org/community/documentation/index.php/Development_Work_Flow --- Additional comment from John Skeoch on 2014-03-31 03:35:19 CEST --- User vraman's account has been closed --- Additional comment from Niels de Vos on 2015-05-17 23:57:52 CEST --- GlusterFS 3.7.0 has been released (http://www.gluster.org/pipermail/gluster-users/2015-May/021901.html), and the Gluster project maintains N-2 supported releases. The last two releases before 3.7 are still maintained, at the moment these are 3.6 and 3.5. This bug has been filed against the 3,4 release, and will not get fixed in a 3.4 version any more. Please verify if newer versions are affected with the reported problem. If that is the case, update the bug with a note, and update the version if you can. In case updating the version is not possible, leave a comment in this bug report with the version you tested, and set the "Need additional information the selected bugs from" below the comment box to "bugs". If there is no response by the end of the month, this bug will get automatically closed. --- Additional comment from Joe Julian on 2015-05-18 19:17:29 CEST --- This could potentially be handled with the hooks interface, but the port information would need to be passed to the script. This is low-hanging fruit.
REVIEW: http://review.gluster.org/11989 (Glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#1) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (Glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#2) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (Glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#3) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#4) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#5) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#6) for review on master by Anand Nekkunti (anekkunt)
We are working on a solution for this. The solution in it's current state is as follows, - We ship a new package glusterfs-firewalld for fedora and centos7. This package contains firewalld configuration (in the form of firewalld services)to open ports required by GlusterFS and a couple of hook scripts which keep the firewalld configuration updated. Two service configurations will be shipped. - glusterfs-static - which contains the static glusterfs ports - glusterfs-dynamic - which contains the variable brick ports and is kept updated by the hook scripts - The hook scripts will be run when a brick is started (or stopped). The hook scripts will add (or remove) the brick port into (from) the firewalld configuration, and perform a firewalld reload, to have firewalld reload the updated services. Changes are required in GlusterD to provide the hook scripts with the ports. - The user needs to only enable the glusterfs firewalld services on the network of their choice to open up the required ports. - As an additional goal, we could also provide a glusterfs firewalld zone, which enables all the firewalld services required by glusterfs (nfs, swift, ssh etc.). This can make it even simpler for a user to enable all the firewall rules required for running glusterfs.
I've started a discussion with the firewalld developers to validate our approach. http://thread.gmane.org/gmane.comp.file-systems.gluster.devel/12404 https://lists.fedorahosted.org/pipermail/firewalld-devel/2015-August/000189.html
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Enabling static and dynamic ports if firewall installed.) posted (#8) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Create static and dynamic services if firewalld installed.) posted (#9) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Create static and dynamic services if firewalld installed.) posted (#10) for review on master by Anand Nekkunti (anekkunt)
Firewalld doesn't have a way to dynamically change a service in runtime, without side-effects. The solution proposed in comment#7 causes, firewalld to reload it's runtime configuration, which as a side-effect leads to any runtime changes done to be lost. So for now, the best approach IMO is to statically open up a range of ports for the bricks. An RFE will be filed with firewalld to get support for runtime modification of service.
REVIEW: http://review.gluster.org/11989 (glusterd/hook/spec: Create glusterfs firewall service if firewalld installed.) posted (#11) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (glusterd: Create glusterfs firewall service if firewalld installed.) posted (#12) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#13) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#14) for review on master by Anand Nekkunti (anekkunt)
Created attachment 1071307 [details] firewalld_doc
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#15) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#16) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#18) for review on master by Anand Nekkunti (anekkunt)
REVIEW: http://review.gluster.org/11989 (firewall/spec: Create glusterfs firewall service if firewalld installed.) posted (#19) for review on master by Anand Nekkunti (anekkunt)
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.8.0, please open a new bug report. glusterfs-3.8.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://blog.gluster.org/2016/06/glusterfs-3-8-released/ [2] http://thread.gmane.org/gmane.comp.file-systems.gluster.user