[PATCH] spec: Open 8000 and 8001 port by default in spec.in post section. kimchi server use 8000 and 8001 port. Open 8000 and 8001 port by default in spec.in post section.

[ta...@linux.vnet.ibm.com]

From: Eli Qiao <ta...@linux.vnet.ibm.com>

Signed-off-by: Eli Qiao <ta...@linux.vnet.ibm.com>
---
contrib/kimchi.spec.fedora.in | 5 +++++
contrib/kimchi.spec.suse.in | 5 +++++
2 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
index 14ec359..f21ae49 100644
--- a/contrib/kimchi.spec.fedora.in
+++ b/contrib/kimchi.spec.fedora.in
@@ -81,6 +81,11 @@ if [ $1 -eq 1 ] ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi

+# open 8000 and 8001 port for firewall
+
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+
%if 0%{?rhel} == 6
start kimchid
%else
diff --git a/contrib/kimchi.spec.suse.in b/contrib/kimchi.spec.suse.in
index 9051284..5209e03 100644
--- a/contrib/kimchi.spec.suse.in
+++ b/contrib/kimchi.spec.suse.in
@@ -47,6 +47,11 @@ install -Dm 0755 contrib/kimchid.sysvinit %{buildroot}%{_initrddir}/kimchid
service kimchid start
chkconfig kimchid on

+# open 8000 and 8001 port for firewall
+
+iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
+iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
+
%preun
service kimchid stop

--
1.7.1

[Eli Qiao]

hi Mark, Sheldon, Royce

please help to review my patch.

thanks Eli.

-------- 原始锟斤拷息 --------

锟斤拷锟斤拷:	[PATCH] spec: Open 8000 and 8001 port by default in spec.in post section. kimchi server use 8000 and 8001 port. Open 8000 and 8001 port by default in spec.in post section.
锟斤拷锟斤拷:	Tue, 17 Dec 2013 14:36:34 +0800
锟斤拷锟斤拷锟斤拷:	ta...@linux.vnet.ibm.com
锟秸硷拷锟斤拷:	project...@googlegroups.com
锟斤拷锟斤拷:	Eli Qiao <ta...@linux.vnet.ibm.com>

[Royce Lv]

Hi Eli,

Pls add debian iptables rules as well.

[Sheldon]

subject is too long. it should be like this.

subject: 

spec: Open 8000 and 8001 port by default in spec.in post section.

commit message:

kimchi server use 8000 and 8001 port. Open 8000 and 8001 port by default in spec.in post section.

       

in src/kimchi.conf.in
[server]
# Hostname or IP address to listen on
#host = 0.0.0.0

# Port to listen on
#port = 8000

# If present, start an SSL-enabled server on the given port
#ssl_port = 8001


we can change port.
Such the  port is 9000 and the ssl_port is 9001

we have already file a wiki about this:
https://github.com/kimchi-project/kimchi/wiki/Firewall-configure
It is possible that the Kimchi is started at different ports other than the default ports 8000, 8001, that requires the firewall configuration scripts to know the Kimchi's port configuration.

Sheldon Feng(冯少合)
IBM Linux Technology Center

[Mark Wu]

On 12/17/2013 02:36 PM, ta...@linux.vnet.ibm.com wrote:

Eli,
Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot.
And shipping a configuration file is better than running commands in spec file.

Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html

It could be a better solution for the platforms where firewalld is available.

[Shu Ming]

CCed to kimchi-devel and see the comment line below

Also, we should be careful about the iptbales rules position in file to avoid it is masked by other rules.   And we may need to remove the rules in rpm remove operations.

--
project-kimchi mailing list <project...@googlegroups.com>
https://groups.google.com/forum/#!forum/project-kimchi
---
You received this message because you are subscribed to the Google Groups "project-kimchi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project-kimch...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Royce Lv]

Good point, took a look at vdsm, it manipulates with '/etc/sysconfig/iptables' when installation. We may also try this way.

[Eli Qiao]

于 2013年12月18日 19:00, Mark Wu 写道:

Eli,
Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot.
And shipping a configuration file is better than running commands in spec file.

Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html

It could be a better solution for the platforms where firewalld is available.

hi Mark thanks for your comments,
I did some investigation, this is a good solution, fedora and ubuntu has firewalld support. but RHEL not.
as far as i know kimchi should support RHEL also, if we chose this solution, how about RHEL?

-- 
Thanks Eli (Li Yong) Qiao (qia...@cn.ibm.com)
CSTL-KVM Frobisher/RHEV-H

• 英 文 - 检测到
• 英文

• 英文

[Eli Qiao]

于 2013年12月19日 15:34, Eli Qiao 写道:

于 2013年12月18日 19:00, Mark Wu 写道:

Eli,
Thanks for the patch. But it's not a reliable configuration. This rule will be lost after reboot.
And shipping a configuration file is better than running commands in spec file.

Please take a look at firewalld and firewalld.service http://manpages.ubuntu.com/manpages/raring/man5/firewalld.service.5.html

It could be a better solution for the platforms where firewalld is available.

hi Mark thanks for your comments,
I did some investigation, this is a good solution, fedora and ubuntu has firewalld support. but RHEL not.
as far as i know kimchi should support RHEL also, if we chose this solution, how about RHEL?

just got an update, RHEL7 will support firewalld.
we should decided how to go on.
thanks Eli

-- 
Thanks Eli (Li Yong) Qiao (qia...@cn.ibm.com)
CSTL-KVM Frobisher/RHEV-H

• 英 文 - 检测到
• 英文

• 英文

--
project-kimchi mailing list <project...@googlegroups.com>
https://groups.google.com/forum/#!forum/project-kimchi
---
You received this message because you are subscribed to the Google Groups "project-kimchi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to project-kimch...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.