Re: GlusterFS firewalld control

Anand Nekkunti <anekkunt@xxxxxxxxxx> · Sun, 23 Aug 2015 16:11:38 +0530



    On 08/20/2015 09:55 AM, Anand Nekkunti
      wrote:

    
      On 08/17/2015 03:22 PM, Christopher
        Blum wrote:

      
        Hey Gluster Developers,
          

          I'm fairly new to GlusterFS, but noticed, that it is
            missing the possibility to control firewalld, which is also
            addressed in [1]
          Since I wanted to propose a solution for this problem, I
            briefly talked to Niels de Vos and we identified 2 possible
            ways to fix this:
          

          1) Use the dbus connection to control firewalld when we
            do bind() as a server - it looks like there is only one
            place where we do that [2]
               --> Pretty much a catch all solution, but will
            require to link against dbus and a precompiler check for OSs
            with firewalld
          

          2) Use the glusterfs hooks to call a script, when we
            create volumes to open up the (dynamic) ports of the
            involved bricks
               --> Easier to implement, but where do we get the
            port information from? Additionally involves the creation of
            a static config for the glusterd process.
        
      
         I prefer second option(by hooks) because of easy implementation
      and configuration is permanent , I have written  script
      glusterfs_firewall.sh(find attached file) using this we can create
      Glusterfs service and add/delete port to service(it also add
      Glusterfs firewall service to default zone ).

      
          1. Default ports : This script need be called during post
      installation so that it creates Glusterfs firewall service with
      default ports and enables Glusterfs service in default zone.

               #glusterfs_firewall.sh -r  

      
          2. Ports for bricks - this script need be called by hooks by
      passing port number after allocating  brick  port  by glusterd.

              #glusterfs_firewall.sh -p  port_num  (ex:
      glusterfs_firewall.sh -p  41700)

      
          3.
      
      Ports Deallocation 
      - ports  can be removed from Glustrerfs  service(during brick
      stop)

              # glusterfs_firewall.sh -d  port_num  (ex:
      glusterfs_firewall.sh -d  41700)

    
     I have posted patch for this , please have a look at [1]

      [1]. http://review.gluster.org/#/c/11989/1

        
          Looking at [3], we need to open up additional (dynamic)
            ports for NFS? Is that info correct?
          

          Since I'm fairly new, I would welcome a discussion, which
            approach is best in your opinion. Please also tell me if any
            assumptions from above are incorrect...
          

          Best Regards,
          
            
                              Chris

                              
                                [1] https://bugzilla.redhat.com/show_bug.cgi?id=1057295
                                [2] https://forge.gluster.org/glusterfs-core/glusterfs/blobs/master/rpc/rpc-transport/socket/src/socket.c#line758
                                [3] http://www.gluster.org/community/documentation/index.php/Gluster_3.1:_Installing_GlusterFS_on_Red_Hat_Package_Manager_(RPM)_Distributions
                                

        _______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-devel

      
      _______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-devel

    
_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://www.gluster.org/mailman/listinfo/gluster-devel