[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Ovirt-devel] [PATCH recipe] Enable firewall on appliance so nat forwarding works



Firewall was disabled preventing guests from accessing
outside networks.  Enabling the firewall fixes this since the
NAT rule is already defined, but then we need to customize the
firewall to open up the services we want to expose.

That and since NFS uses portmap, we pin the NFS services to
well known ports.

Signed-off-by: Perry Myers <pmyers redhat com>
---
 appliances/ovirt/ovirt.pp.in |   72 +++++++++++++++++++++++++++++++++++-------
 1 files changed, 60 insertions(+), 12 deletions(-)

diff --git a/appliances/ovirt/ovirt.pp.in b/appliances/ovirt/ovirt.pp.in
index ae22319..1ee8b48 100644
--- a/appliances/ovirt/ovirt.pp.in
+++ b/appliances/ovirt/ovirt.pp.in
@@ -43,18 +43,38 @@ appliance_base::setup{$appliance_name: hostname => "management.priv.ovirt.org"}
 banners::terminal{$appliance_name: template_file => "ovirt/terminal.erb"}
 banners::login{$appliance_name:}
 postgres::setup{$appliance_name:}
-firewall::setup{$appliance_name: status => "disabled"}
+firewall::setup{$appliance_name: status => "enabled"}
 
-$changes = [
+$net_changes = [
     "set /files/etc/sysconfig/network-scripts/ifcfg-eth0/PEERDNS no",
     "set /files/etc/sysconfig/network-scripts/ifcfg-eth1/DNS1 192.168.50.2"
 ]
 
 augeas {"network_scripts":
-    changes => $changes,
+    changes => $net_changes,
     notify => Service["network"]
 }
 
+$nfs_changes = [
+    "set /files/etc/sysconfig/nfs/MOUNTD_PORT 892"
+]
+
+augeas {"nfs_config":
+    changes => $nfs_changes,
+    notify => Service["nfs"]
+}
+
+$nfslock_changes = [
+    "set /files/etc/sysconfig/nfs/LOCKD_TCPPORT 32803",
+    "set /files/etc/sysconfig/nfs/LOCKD_UDPPORT 32769",
+    "set /files/etc/sysconfig/nfs/STATD_PORT 662"
+]
+
+augeas {"nfslock_config":
+    changes => $nfslock_changes,
+    notify => Service["nfslock"]
+}
+
 file {"/etc/yum.repos.d/ovirt.repo":
     source => "puppet:///ovirt/ovirt.repo"
 }
@@ -78,12 +98,29 @@ firewall_rule {"ovirt_nat":
     action => "MASQUERADE"
 }
 
-firewall_rule {"ssh":
-    table => "filter",
-    chain => "INPUT",
-    destination_port => '22',
-    action => "ACCEPT"
-}
+firewall_rule {"ssh": destination_port => '22'}
+firewall_rule {"http": destination_port => '80'}
+firewall_rule {"https": destination_port => '443'}
+firewall_rule {"ldap": destination_port => '389'}
+firewall_rule {"named": destination_port => '53'}
+firewall_rule {"named-udp": destination_port => '53', protocol => 'udp'}
+firewall_rule {"tgtd": destination_port => '3260'}
+firewall_rule {"nfsd": destination_port => '2049'}
+firewall_rule {"rpcbind": destination_port => '111'}
+firewall_rule {"rpcbind-udp": destination_port => '111', protocol => 'udp'}
+firewall_rule {"host-browser": destination_port => '12120'}
+firewall_rule {"rpc.mountd": destination_port => '892'}
+firewall_rule {"rpc.mountd-udp": destination_port => '892', protocol => 'udp'}
+firewall_rule {"rpc.statd": destination_port => '662'}
+firewall_rule {"rpc.statd-udp": destination_port => '662', protocol => 'udp'}
+firewall_rule {"ntpd": destination_port => '123', protocol => 'udp'}
+firewall_rule {"tftpd": destination_port => '69', protocol => 'udp'}
+firewall_rule {"dhcpd": destination_port => '68', protocol => 'udp'}
+firewall_rule {"bootp": destination_port => '67', protocol => 'udp'}
+firewall_rule {"collectd": destination_port => '25826', protocol => 'udp'}
+firewall_rule {"krb5kdc": destination_port => '88', protocol => 'udp'}
+firewall_rule {"cobblerd": destination_port => "25150"}
+firewall_rule {"cobblerd-mgmt": destination_port => "25151"}
 
 file_replacement{"nat_forwarding" :
     file => "/etc/sysctl.conf",
@@ -103,6 +140,18 @@ service {"ovirt-server-appliance":
     require => [File["/etc/init.d/ovirt-server-appliance"], Service["network"], Service["httpd"]]
 }
 
+service {"nfs":
+    ensure => "running",
+    enable => true,
+    require => [Service["network"], Service[nfslock]]
+}
+
+service {"nfslock":
+    ensure => "running",
+    enable => true,
+    require => [Service["network"]]
+}
+
 file {"/usr/sbin/ovirt-server-appliance-setup":
     content => template("ovirt-server-appliance-setup.erb"),
     mode => 755
@@ -110,7 +159,8 @@ file {"/usr/sbin/ovirt-server-appliance-setup":
 
 single_exec {"ovirt_appliance_installation":
     command => "/usr/sbin/ovirt-server-appliance-setup >> /var/log/ovirt-server-appliance-setup.log",
-    require => [File["/usr/sbin/ovirt-server-appliance-setup"], Service["ovirt-server-appliance"], Firewall_rule ["ovirt_nat"], Firewall_rule["ssh"], Exec["reload-firewall"]]
+    require => [File["/usr/sbin/ovirt-server-appliance-setup"], Service["ovirt-server-appliance"],
+                Exec["reload-firewall"]]
 }
 
 single_exec {"ovirt_installation":
@@ -121,8 +171,6 @@ single_exec {"ovirt_installation":
 #
 # Cobbler Configuration
 #
-firewall_rule{"25150": destination_port => "25150"}
-firewall_rule{"25151": destination_port => "25151"}
 
 # Set the password to be ovirt/ovirt
 file_append{"ovirt_cobbler_user":
-- 
1.5.5.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]