thr3ads.net - Ovirt devel - [Ovirt-devel] [PATCH recipe] Enable firewall on appliance so nat forwarding works [Sep 2008]

If this information is useful, please help other people find it:
Share via:
Perry Myers
2008-Sep-24 07:29 UTC
[Ovirt-devel] [PATCH recipe] Enable firewall on appliance so nat forwarding works

Firewall was disabled preventing guests from accessing
outside networks.  Enabling the firewall fixes this since the
NAT rule is already defined, but then we need to customize the
firewall to open up the services we want to expose.

That and since NFS uses portmap, we pin the NFS services to
well known ports.

Signed-off-by: Perry Myers <pmyers at redhat.com>
---
 appliances/ovirt/ovirt.pp.in |   72 +++++++++++++++++++++++++++++++++++-------
 1 files changed, 60 insertions(+), 12 deletions(-)

diff --git a/appliances/ovirt/ovirt.pp.in b/appliances/ovirt/ovirt.pp.in
index ae22319..1ee8b48 100644
--- a/appliances/ovirt/ovirt.pp.in
+++ b/appliances/ovirt/ovirt.pp.in
@@ -43,18 +43,38 @@ appliance_base::setup{$appliance_name: hostname =>
"management.priv.ovirt.org"}
 banners::terminal{$appliance_name: template_file =>
"ovirt/terminal.erb"}
 banners::login{$appliance_name:}
 postgres::setup{$appliance_name:}
-firewall::setup{$appliance_name: status => "disabled"}
+firewall::setup{$appliance_name: status => "enabled"}
 
-$changes = [
+$net_changes = [
     "set /files/etc/sysconfig/network-scripts/ifcfg-eth0/PEERDNS no",
     "set /files/etc/sysconfig/network-scripts/ifcfg-eth1/DNS1
192.168.50.2"
 ]
 
 augeas {"network_scripts":
-    changes => $changes,
+    changes => $net_changes,
     notify => Service["network"]
 }
 
+$nfs_changes = [
+    "set /files/etc/sysconfig/nfs/MOUNTD_PORT 892"
+]
+
+augeas {"nfs_config":
+    changes => $nfs_changes,
+    notify => Service["nfs"]
+}
+
+$nfslock_changes = [
+    "set /files/etc/sysconfig/nfs/LOCKD_TCPPORT 32803",
+    "set /files/etc/sysconfig/nfs/LOCKD_UDPPORT 32769",
+    "set /files/etc/sysconfig/nfs/STATD_PORT 662"
+]
+
+augeas {"nfslock_config":
+    changes => $nfslock_changes,
+    notify => Service["nfslock"]
+}
+
 file {"/etc/yum.repos.d/ovirt.repo":
     source => "puppet:///ovirt/ovirt.repo"
 }
@@ -78,12 +98,29 @@ firewall_rule {"ovirt_nat":
     action => "MASQUERADE"
 }
 
-firewall_rule {"ssh":
-    table => "filter",
-    chain => "INPUT",
-    destination_port => '22',
-    action => "ACCEPT"
-}
+firewall_rule {"ssh": destination_port => '22'}
+firewall_rule {"http": destination_port => '80'}
+firewall_rule {"https": destination_port => '443'}
+firewall_rule {"ldap": destination_port => '389'}
+firewall_rule {"named": destination_port => '53'}
+firewall_rule {"named-udp": destination_port => '53',
protocol => 'udp'}
+firewall_rule {"tgtd": destination_port => '3260'}
+firewall_rule {"nfsd": destination_port => '2049'}
+firewall_rule {"rpcbind": destination_port => '111'}
+firewall_rule {"rpcbind-udp": destination_port => '111',
protocol => 'udp'}
+firewall_rule {"host-browser": destination_port =>
'12120'}
+firewall_rule {"rpc.mountd": destination_port => '892'}
+firewall_rule {"rpc.mountd-udp": destination_port =>
'892', protocol => 'udp'}
+firewall_rule {"rpc.statd": destination_port => '662'}
+firewall_rule {"rpc.statd-udp": destination_port => '662',
protocol => 'udp'}
+firewall_rule {"ntpd": destination_port => '123', protocol
=> 'udp'}
+firewall_rule {"tftpd": destination_port => '69', protocol
=> 'udp'}
+firewall_rule {"dhcpd": destination_port => '68', protocol
=> 'udp'}
+firewall_rule {"bootp": destination_port => '67', protocol
=> 'udp'}
+firewall_rule {"collectd": destination_port => '25826',
protocol => 'udp'}
+firewall_rule {"krb5kdc": destination_port => '88',
protocol => 'udp'}
+firewall_rule {"cobblerd": destination_port => "25150"}
+firewall_rule {"cobblerd-mgmt": destination_port =>
"25151"}
 
 file_replacement{"nat_forwarding" :
     file => "/etc/sysctl.conf",
@@ -103,6 +140,18 @@ service {"ovirt-server-appliance":
     require => [File["/etc/init.d/ovirt-server-appliance"],
Service["network"], Service["httpd"]]
 }
 
+service {"nfs":
+    ensure => "running",
+    enable => true,
+    require => [Service["network"], Service[nfslock]]
+}
+
+service {"nfslock":
+    ensure => "running",
+    enable => true,
+    require => [Service["network"]]
+}
+
 file {"/usr/sbin/ovirt-server-appliance-setup":
     content => template("ovirt-server-appliance-setup.erb"),
     mode => 755
@@ -110,7 +159,8 @@ file {"/usr/sbin/ovirt-server-appliance-setup":
 
 single_exec {"ovirt_appliance_installation":
     command => "/usr/sbin/ovirt-server-appliance-setup >>
/var/log/ovirt-server-appliance-setup.log",
-    require => [File["/usr/sbin/ovirt-server-appliance-setup"],
Service["ovirt-server-appliance"], Firewall_rule
["ovirt_nat"], Firewall_rule["ssh"],
Exec["reload-firewall"]]
+    require => [File["/usr/sbin/ovirt-server-appliance-setup"],
Service["ovirt-server-appliance"],
+                Exec["reload-firewall"]]
 }
 
 single_exec {"ovirt_installation":
@@ -121,8 +171,6 @@ single_exec {"ovirt_installation":
 #
 # Cobbler Configuration
 #
-firewall_rule{"25150": destination_port => "25150"}
-firewall_rule{"25151": destination_port => "25151"}
 
 # Set the password to be ovirt/ovirt
 file_append{"ovirt_cobbler_user":
-- 
1.5.5.1
Ovirt devel - Sep 2008 - [PATCH recipe] Enable firewall on appliance so nat forwarding works

[Ovirt-devel] [PATCH recipe] Enable firewall on appliance so nat forwarding works
