[Freeipa-devel] Ipa-server-install Firewall Support
Petr Spacek
pspacek at redhat.com
Fri Apr 4 07:59:33 UTC 2014
On 4.4.2014 09:17, Martin Kosek wrote:
> On 04/04/2014 09:04 AM, Justin Brown wrote:
>>> I would actually do it the opposite way and open the ports after the FreeIPA server is fully configured. After all, I do not think we want to open the ports when the server is just half-configured and for example some ACIs are missing.
>>
>> My thinking was that nothing would be listening on these ports if the
>> install doesn't succeed, but there's really necessity to modify the
>> firewall configuration early. (All of the internal install
>> communication will be over a local interface (to netfilter) and
>> unblock anyways. I don't have any problem in delaying firewall
>> configuration to the end of install.
>
> If ipa-server-install does succeed without configuring the firewalld, then we
> will indeed have no other option than to do it early.
>
> I am thinking that we may want to put all the firewalld configuration in
> ipaserver/install/firewalldinstance.py,
> and then make the firewalld configuration the actual step of the installation.
> Something like:
>
> ...
> Configuring Firewall (firewalld)
> [1/2]: looking up the right zone
> [2/2]: allowing ports
> Done configuring Firewall (firewalld).
> ...
>
> The Service class derived object can be really simple, we would just reuse the
> functionality it already has + let us properly hook into it in
> ipa-{server,replica}-install and the uninstallation.
>
> It would also make it easier to split this functionality to
> freeipa-server-firewalld if we chose to in a future.
In general I agree with the idea, thank you Justin for working on that!
I would like to emphasis the necessity to work without NetworkManager and
FirewallD. New dependencies make Debian folks unhappy ...
On the other hand, it is perfectly fine to skip firewall configuration if
NM/FirewallD/DBus is not available.
Have a nice day!
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list