Issue kimchi-project#456: Firewall ports are not open after firewall …

…restart v4 Instead of setup firewall and selinux configuration, kimchi will just add the files needed by this setup and describe to the user how security setup will be done in README. Signed-off-by: Ramon Medeiros <ramonn@linux.vnet.ibm.com>
d3scomp · Jan 15, 2015 · fcc38fd · fcc38fd
1 parent 5dc11fb
commit fcc38fd
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 61 deletions.
diff --git a/contrib/DEBIAN/postinst b/contrib/DEBIAN/postinst
diff --git a/contrib/DEBIAN/postrm b/contrib/DEBIAN/postrm
@@ -26,10 +26,3 @@ case "$1" in
         rm -rf /var/log/kimchi /var/run/kimchi.pid /usr/share/kimchi/
     ;;
 esac
-
-set +e
-service firewalld status >/dev/null 2>&1
-if [ $? -eq 0 ]; then
-    firewall-cmd --remove-service kimchid >/dev/null 2>&1
-fi
-set -e
diff --git a/contrib/kimchi.spec.fedora.in b/contrib/kimchi.spec.fedora.in
@@ -113,37 +113,13 @@ if [ $1 -eq 1 ] ; then
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
-%if 0%{?with_systemd}
-service firewalld status >/dev/null 2>&1
-if [ $? -ne 0 ]; then
-    service firewalld start >/dev/null 2>&1
-fi
-# Add firewalld rules to open 8000 and 8001 port
-firewall-cmd --reload >/dev/null 2>&1
-firewall-cmd --add-service kimchid >/dev/null 2>&1
-%else
-# Add default iptable rules to open 8000 and 8001 port
-iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
-iptables -I INPUT -p tcp --dport 8001 -j ACCEPT
-iptables -I INPUT -p tcp --dport 64667 -j ACCEPT
-service iptables save >/dev/null 2>&1
-%endif
-# Add SELinux rules to "open" Kimchi ports
-semanage permissive -a httpd_t
 
 %preun
 
 if [ $1 -eq 0 ] ; then
     # Package removal, not upgrade
     /bin/systemctl --no-reload disable kimchid.service > /dev/null 2>&1 || :
     /bin/systemctl stop kimchid.service > /dev/null 2>&1 || :
-    %if 0%{?with_systemd}
-        firewall-cmd --remove-service kimchid >/dev/null 2>&1 || :
-    %else
-        iptables -D INPUT -p tcp --dport 8000 -j ACCEPT || :
-        iptables -D INPUT -p tcp --dport 8001 -j ACCEPT || :
-        iptables -D INPUT -p tcp --dport 64667 -j ACCEPT || :
-    %endif
 fi
 
 exit 0
@@ -154,8 +130,6 @@ if [ "$1" -ge 1 ] ; then
     /bin/systemctl try-restart kimchid.service >/dev/null 2>&1 || :
 fi
 exit 0
-# Rollback SELinux rules
-semanage permissive -d httpd_t
 
 %clean
 rm -rf $RPM_BUILD_ROOT

diff --git a/docs/README.md b/docs/README.md
@@ -142,6 +142,35 @@ Run
 
     $ sudo kimchid --host=0.0.0.0
 
+If you cannot access Kimchi, take a look at these 2 points:
+
+1. Firewall
+Kimchi uses by default the ports 8000, 8001 and 64667. To allow incoming connections:
+
+    For system using firewalld, do:
+    sudo firewall-cmd --add-port 8000 --permanent
+    sudo firewall-cmd --add-port 8001 --permanent
+    sudo firewall-cmd --add-port 64667 --permanent
+    sudo firewall-cmd --reload
+
+    For openSUSE systems, do:
+    sudo /sbin/SuSEfirewall2 open EXT TCP 8000
+    sudo /sbin/SuSEfirewall2 open EXT TCP 8001
+    sudo /sbin/SuSEfirewall2 open EXT TCP 64667
+
+    For system using iptables, do:
+    sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
+    sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT
+    sudo iptables -A INPUT -p tcp --dport 64667 -j ACCEPT
+
+    Don't forget to correctly save the rules.
+
+
+2. SELinux
+Allow httpd_t context for Kimchi web server:
+
+    semanage permissive -a httpd_t
+
 
 Test
 ----