Re: defining firewalld services

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/07/2014 02:55 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/04/2014 07:36 AM, Thomas Woerner wrote:
On 07/03/2014 09:32 PM, Stef Walter wrote:
On 03.07.2014 15:39, Rex Dieter wrote:
I'm looking into providing a predefined firewalld service
definition for kde-connect, per
https://bugzilla.redhat.com/show_bug.cgi?id=1115547

Looks like it's as easy as dropping an xml snippet into
/usr/lib/firewalld/services/

I'm also noticing currently that the only package besides
fallwalld itself doing this is cockpit, which includes a %post
scriptlet:

# firewalld only partially picks up changes to its services
files # without this test -f %{_bindir}/firewall-cmd &&
firewall-cmd --reload --quiet || true


Is this the recommended approach?  If so, I'll follow this
lead, and maybe start work on drafting some packaging
guidelines.

Thomas Woerner would be the one to work out those guidelines.

Yes.

But to explain ... apparently there are two firewalld
"environments". When you install a service file it only affects
the installed environment (used after a reboot) and not the
current "runtime environment".

This means that a user can't immediately use your service
definition in a command like:

$ firewall-cmd --add-service=cockpit

The command:

$ firewall-cmd --reload

... makes newly installed service files available in the runtime
environment. I guess this is sorta analogous to 'systemctl
daemon-reload'.

Newly added services and zones are available in the permanent
environment of firewalld, where they can be used with the UI and
command line tools.

To have a newly added service or zone in the runtime environment it
is needed to reload firewalld: firewall-cmd --reload or systemctl
reload firewalld.service.



Thomas, the real question here is this: If a package wants to install
(and maintain) its own set of firewalld service definitions, is the
approach Stef took the best one? If so, we should submit a Packaging
Guidelines edit to the FPC and get this codified where others can find it.

Yes, this is the best approach right now.

I can write some documentatoin for this. What is the proper way to get it in the Packaging guidelines?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlO6mLwACgkQeiVVYja6o6MnWgCfT9Nle/gfxrmsBu13mIS03f4J
n+sAn2oMz8nlbBukQ1Y+/R9VkrKV9JO7
=9yrD
-----END PGP SIGNATURE-----

--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux