From: Chuck Lever III <chuck.lever@oracle.com>
To: "kdevops@lists.linux.dev" <kdevops@lists.linux.dev>
Subject: Re: [PATCH v2] nfsd: Refine the firewall settings on the -nfsd target node
Date: Thu, 31 Oct 2024 13:01:48 +0000 [thread overview]
Message-ID: <1DE5A6B0-552B-4393-A0F4-8655DBEACEC3@oracle.com> (raw)
In-Reply-To: <20241028214719.2173128-1-cel@kernel.org>
> On Oct 28, 2024, at 5:47 PM, cel@kernel.org wrote:
>
> From: Chuck Lever <chuck.lever@oracle.com>
>
> In preparation for testing NFSD in the cloud, where target nodes
> might be exposed to the public internet, leave the firewall enabled
> and permit NFS traffic.
>
> The documentation for the ansible.posix.firewalld module states "Not
> tested on any Debian based system." For now, Debian-based target
> nodes still simply disable firewalld.
>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> .../roles/nfsd/tasks/firewall/debian/main.yml | 11 +++
> .../roles/nfsd/tasks/firewall/redhat/main.yml | 93 +++++++++++++++++++
> .../roles/nfsd/tasks/firewall/suse/main.yml | 93 +++++++++++++++++++
> playbooks/roles/nfsd/tasks/main.yml | 20 ++--
> playbooks/roles/nfsd/templates/nfs.conf.j2 | 6 ++
> playbooks/roles/nfsd/vars/RedHat.yml | 2 +
> 6 files changed, 215 insertions(+), 10 deletions(-)
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml
>
> Changes:
> - Open the statd port as well
>
> diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> new file mode 100644
> index 000000000000..0ba5272812a6
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> @@ -0,0 +1,11 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn off firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: false
> + state: stopped
> + when: '"firewalld.service" in ansible_facts.services'
> diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> new file mode 100644
> index 000000000000..3d1d4fde3efb
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> @@ -0,0 +1,93 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: true
> + state: started
> + when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: rpc-bind
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: nfs
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NSM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4044/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NSM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4044/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS/RDMA service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20049/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> new file mode 100644
> index 000000000000..3d1d4fde3efb
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> @@ -0,0 +1,93 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: true
> + state: started
> + when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: rpc-bind
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: nfs
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NSM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4044/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NSM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4044/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS/RDMA service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20049/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml
> index 63388f857627..5f944708b2ec 100644
> --- a/playbooks/roles/nfsd/tasks/main.yml
> +++ b/playbooks/roles/nfsd/tasks/main.yml
> @@ -106,17 +106,17 @@
> state: present
> when: selinux_status.rc == 0
>
> -# FIXME: open ports instead
> -- name: Populate service facts
> - service_facts:
> +- name: Open ports in NFS server's firewall (Debian)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml
> + when: ansible_os_family == 'Debian'
>
> -- name: Turn off firewalld
> - become: yes
> - ansible.builtin.systemd_service:
> - name: firewalld.service
> - enabled: false
> - state: stopped
> - when: '"firewalld.service" in ansible_facts.services'
> +- name: Open ports in NFS server's firewall (Suse)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml
> + when: ansible_os_family == 'Suse'
> +
> +- name: Open ports in NFS server's firewall (Red Hat)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml
> + when: ansible_os_family == 'RedHat'
>
> - name: Start up nfsd
> become: yes
> diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
> index a5f4a714ec34..31cf18539798 100644
> --- a/playbooks/roles/nfsd/templates/nfs.conf.j2
> +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
> @@ -1,6 +1,12 @@
> [general]
> pipefs-directory={{ pipefs_directory }}
>
> +[statd]
> +port=4044
> +
> +[lockd]
> +port=4045
> +
> [nfsd]
> udp=y
> rdma=y
> diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
> index 091c827c777d..ccffdcc4fdd9 100644
> --- a/playbooks/roles/nfsd/vars/RedHat.yml
> +++ b/playbooks/roles/nfsd/vars/RedHat.yml
> @@ -1,9 +1,11 @@
> ---
> nfsd_packages:
> - checkpolicy
> + - firewalld
> - lvm2
> - nfs-utils
> - policycoreutils
> + - python3-firewall
> - python3-policycoreutils
>
> fstype_userspace_progs:
> --
> 2.46.1
>
This probably breaks the NFSv4.0 callback channel. I'm going to
set this one aside for the moment.
--
Chuck Lever
prev parent reply other threads:[~2024-10-31 13:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 21:47 [PATCH v2] nfsd: Refine the firewall settings on the -nfsd target node cel
2024-10-31 13:01 ` Chuck Lever III [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1DE5A6B0-552B-4393-A0F4-8655DBEACEC3@oracle.com \
--to=chuck.lever@oracle.com \
--cc=kdevops@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox