It would be really convenient to have human-readable firewalld service definitions for Ceph, so that users could do things like: firewall-cmd --add-service=ceph-mon or firewall-cmd --add-service=ceph ... instead of having to know specific port numbers to open. In order to submit service definitions to firewalld upstream, I had a couples questions: 1. In April there was a mailing list thread about the IANA #821110 ticket Sage filed for ceph-mon. Did anything come of that? I filed http://tracker.ceph.com/issues/11689 to track this in Redmine. 2. I talked recently with Sam about the possible ports an OSD could use, and our conversation made me think that our firewall docs for OSDs and MDSs might need to be updated: http://tracker.ceph.com/issues/11688 Currently the docs say "calculate the number of OSDs or MDSs you're running and that will tell you what ports to open". That makes it hard to write a service definition for firewalld, since those are just a list of static ports. 3. Lastly, on a scale of "yeah, sounds do-able" to "everything will come to a grinding halt", how hard would it be to run with firewalls enabled in our sepia and typica labs that are running Teuthology? :) Do our Teuthology tests use TCP ports outside of 80, 6789, and 6800-7300 ? - Ken -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
