[Freeipa-devel] Ticket #1107 - firewall troubles

Dmitri Pal dpal at redhat.com
Thu May 19 22:32:13 UTC 2011 

On 05/19/2011 04:41 PM, Simo Sorce wrote:
> On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote:
>> Hello,
>>
>> I am working on ticket #1107 and I am looking for some ideas hot to deal
>> with it.
>>
>> The problem is that when we are installing a replica and have firewall
>> on, the installation may fail or (even worse) hang. There question is
>> how to deal with this situation since we cannot test if the ports are
>> not blocked locally. It must be done from the remote master.
>>
>> I discussed this with Rob and I see two solutions here:
>>
>> 1) Don't complicate this and limit our user handholding (my favorite) -
>> just tell him what ports he should open before proceeding with the
>> installation. If he doesn't, the installation will fail later. The
>> problem is when the installation hangs - its hard to detect. This is the
>> easy way.
>>
>> 2) Implement and register a mod_wsgi application on a master server and
>> let it test remotely if the ports on the replica are open. We would have
>> to open and listen them in ipa-replica-install as we cannot tell if port
>> is not-yet-opened or firewalled just from the network error code. If the
>> application would report a firewalled port, we would throw an error in
>> the ipa-replica-install.
>>
>> However, as Rob pointed out, it would open a possible security hole as
>> we would basically behave as port scanner.
> It may also create SELinux issues as I think apache is not allowed to
> contact random ports normally.
>
>> Any opinions, suggestions, ideas on this?
> I think a much better solution is to create a simple program pair one
> for the master and one for the wannabe replica.
>
> The one on the replica opens all relevant ports.
> The one to be run on the master tries to connect to all these ports.
> Each side will report port,service name,success/failure
>
> Bonus points if we create the replica program so that it can use admin
> credentials to ssh into the master and run the master side automatically
> properly merging the output of that side.
>
> Simo.
>
I think Simo has a point but it is too much for now.
IMO it is Ok to fail and report a meaningful error message on either
side. Installation hanging is what we should address here in the scope
of 2.1.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list