* [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node
@ 2024-10-18 20:54 cel
2024-10-18 22:16 ` Scott Mayhew
0 siblings, 1 reply; 3+ messages in thread
From: cel @ 2024-10-18 20:54 UTC (permalink / raw)
To: kdevops; +Cc: Chuck Lever
From: Chuck Lever <chuck.lever@oracle.com>
In preparation for testing NFSD in the cloud, where target nodes
might be exposed to the public internet, leave the firewall enabled
and permit NFS traffic.
The documentation for the ansible.posix.firewalld module states "Not
tested on any Debian based system." For now, Debian-based target
nodes still simply disable firewalld.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
.../roles/nfsd/tasks/firewall/debian/main.yml | 11 ++++
.../roles/nfsd/tasks/firewall/redhat/main.yml | 65 +++++++++++++++++++
.../roles/nfsd/tasks/firewall/suse/main.yml | 65 +++++++++++++++++++
playbooks/roles/nfsd/tasks/main.yml | 20 +++---
playbooks/roles/nfsd/templates/nfs.conf.j2 | 3 +
playbooks/roles/nfsd/vars/RedHat.yml | 2 +
6 files changed, 156 insertions(+), 10 deletions(-)
create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml
create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml
I have tested this change with Fedora on libvirt, and RHEL 9.4 on
AWS.
I haven't tested these changes with SuSE-based target nodes. It
looks like the menu option to select SuSE on the target nodes has
disappeared.
diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
new file mode 100644
index 000000000000..0ba5272812a6
--- /dev/null
+++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Populate service facts
+ ansible.builtin.service_facts:
+
+- name: Turn off firewalld
+ become: true
+ ansible.builtin.systemd_service:
+ name: firewalld.service
+ enabled: false
+ state: stopped
+ when: '"firewalld.service" in ansible_facts.services'
diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
new file mode 100644
index 000000000000..39fab7773d09
--- /dev/null
+++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
@@ -0,0 +1,65 @@
+---
+- name: Populate service facts
+ ansible.builtin.service_facts:
+
+- name: Turn on firewalld
+ become: true
+ ansible.builtin.systemd_service:
+ name: firewalld.service
+ enabled: true
+ state: started
+ when: '"firewalld.service" in ansible_facts.services'
+
+- name: Open the rpcbind service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ service: rpc-bind
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the NFS service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ service: nfs
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the NLM TCP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 4045/tcp
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the NLM UDP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 4045/udp
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the MNT TCP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 20048/tcp
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the MNT UDP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 20048/udp
+ permanent: true
+ immediate: true
+ state: enabled
diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
new file mode 100644
index 000000000000..39fab7773d09
--- /dev/null
+++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
@@ -0,0 +1,65 @@
+---
+- name: Populate service facts
+ ansible.builtin.service_facts:
+
+- name: Turn on firewalld
+ become: true
+ ansible.builtin.systemd_service:
+ name: firewalld.service
+ enabled: true
+ state: started
+ when: '"firewalld.service" in ansible_facts.services'
+
+- name: Open the rpcbind service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ service: rpc-bind
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the NFS service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ service: nfs
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the NLM TCP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 4045/tcp
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the NLM UDP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 4045/udp
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the MNT TCP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 20048/tcp
+ permanent: true
+ immediate: true
+ state: enabled
+
+- name: Open the MNT UDP service port in firewalld
+ become: true
+ become_method: ansible.builtin.sudo
+ ansible.posix.firewalld:
+ port: 20048/udp
+ permanent: true
+ immediate: true
+ state: enabled
diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml
index 63388f857627..5f944708b2ec 100644
--- a/playbooks/roles/nfsd/tasks/main.yml
+++ b/playbooks/roles/nfsd/tasks/main.yml
@@ -106,17 +106,17 @@
state: present
when: selinux_status.rc == 0
-# FIXME: open ports instead
-- name: Populate service facts
- service_facts:
+- name: Open ports in NFS server's firewall (Debian)
+ ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml
+ when: ansible_os_family == 'Debian'
-- name: Turn off firewalld
- become: yes
- ansible.builtin.systemd_service:
- name: firewalld.service
- enabled: false
- state: stopped
- when: '"firewalld.service" in ansible_facts.services'
+- name: Open ports in NFS server's firewall (Suse)
+ ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml
+ when: ansible_os_family == 'Suse'
+
+- name: Open ports in NFS server's firewall (Red Hat)
+ ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml
+ when: ansible_os_family == 'RedHat'
- name: Start up nfsd
become: yes
diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
index a5f4a714ec34..e319f9246904 100644
--- a/playbooks/roles/nfsd/templates/nfs.conf.j2
+++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
@@ -1,6 +1,9 @@
[general]
pipefs-directory={{ pipefs_directory }}
+[lockd]
+port=4045
+
[nfsd]
udp=y
rdma=y
diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
index 091c827c777d..ccffdcc4fdd9 100644
--- a/playbooks/roles/nfsd/vars/RedHat.yml
+++ b/playbooks/roles/nfsd/vars/RedHat.yml
@@ -1,9 +1,11 @@
---
nfsd_packages:
- checkpolicy
+ - firewalld
- lvm2
- nfs-utils
- policycoreutils
+ - python3-firewall
- python3-policycoreutils
fstype_userspace_progs:
--
2.46.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node
2024-10-18 20:54 [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node cel
@ 2024-10-18 22:16 ` Scott Mayhew
2024-10-19 18:53 ` Chuck Lever III
0 siblings, 1 reply; 3+ messages in thread
From: Scott Mayhew @ 2024-10-18 22:16 UTC (permalink / raw)
To: cel; +Cc: kdevops, Chuck Lever
On Fri, 18 Oct 2024, cel@kernel.org wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> In preparation for testing NFSD in the cloud, where target nodes
> might be exposed to the public internet, leave the firewall enabled
> and permit NFS traffic.
I'm assuming there's no need to open a port for statd because we're not
doing any reboot testing with v3?
>
> The documentation for the ansible.posix.firewalld module states "Not
> tested on any Debian based system." For now, Debian-based target
> nodes still simply disable firewalld.
>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> .../roles/nfsd/tasks/firewall/debian/main.yml | 11 ++++
> .../roles/nfsd/tasks/firewall/redhat/main.yml | 65 +++++++++++++++++++
> .../roles/nfsd/tasks/firewall/suse/main.yml | 65 +++++++++++++++++++
> playbooks/roles/nfsd/tasks/main.yml | 20 +++---
> playbooks/roles/nfsd/templates/nfs.conf.j2 | 3 +
> playbooks/roles/nfsd/vars/RedHat.yml | 2 +
> 6 files changed, 156 insertions(+), 10 deletions(-)
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml
>
> I have tested this change with Fedora on libvirt, and RHEL 9.4 on
> AWS.
>
> I haven't tested these changes with SuSE-based target nodes. It
> looks like the menu option to select SuSE on the target nodes has
> disappeared.
>
>
> diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> new file mode 100644
> index 000000000000..0ba5272812a6
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> @@ -0,0 +1,11 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn off firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: false
> + state: stopped
> + when: '"firewalld.service" in ansible_facts.services'
> diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> new file mode 100644
> index 000000000000..39fab7773d09
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> @@ -0,0 +1,65 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: true
> + state: started
> + when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: rpc-bind
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: nfs
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/udp
> + permanent: true
> + immediate: true
> + state: enabled
> diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> new file mode 100644
> index 000000000000..39fab7773d09
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> @@ -0,0 +1,65 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: true
> + state: started
> + when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: rpc-bind
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: nfs
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/udp
> + permanent: true
> + immediate: true
> + state: enabled
> diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml
> index 63388f857627..5f944708b2ec 100644
> --- a/playbooks/roles/nfsd/tasks/main.yml
> +++ b/playbooks/roles/nfsd/tasks/main.yml
> @@ -106,17 +106,17 @@
> state: present
> when: selinux_status.rc == 0
>
> -# FIXME: open ports instead
> -- name: Populate service facts
> - service_facts:
> +- name: Open ports in NFS server's firewall (Debian)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml
> + when: ansible_os_family == 'Debian'
>
> -- name: Turn off firewalld
> - become: yes
> - ansible.builtin.systemd_service:
> - name: firewalld.service
> - enabled: false
> - state: stopped
> - when: '"firewalld.service" in ansible_facts.services'
> +- name: Open ports in NFS server's firewall (Suse)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml
> + when: ansible_os_family == 'Suse'
> +
> +- name: Open ports in NFS server's firewall (Red Hat)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml
> + when: ansible_os_family == 'RedHat'
>
> - name: Start up nfsd
> become: yes
> diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
> index a5f4a714ec34..e319f9246904 100644
> --- a/playbooks/roles/nfsd/templates/nfs.conf.j2
> +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
> @@ -1,6 +1,9 @@
> [general]
> pipefs-directory={{ pipefs_directory }}
>
> +[lockd]
> +port=4045
> +
> [nfsd]
> udp=y
> rdma=y
> diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
> index 091c827c777d..ccffdcc4fdd9 100644
> --- a/playbooks/roles/nfsd/vars/RedHat.yml
> +++ b/playbooks/roles/nfsd/vars/RedHat.yml
> @@ -1,9 +1,11 @@
> ---
> nfsd_packages:
> - checkpolicy
> + - firewalld
> - lvm2
> - nfs-utils
> - policycoreutils
> + - python3-firewall
> - python3-policycoreutils
>
> fstype_userspace_progs:
> --
> 2.46.1
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node
2024-10-18 22:16 ` Scott Mayhew
@ 2024-10-19 18:53 ` Chuck Lever III
0 siblings, 0 replies; 3+ messages in thread
From: Chuck Lever III @ 2024-10-19 18:53 UTC (permalink / raw)
To: Scott Mayhew; +Cc: Chuck Lever, kdevops@lists.linux.dev
> On Oct 18, 2024, at 6:16 PM, Scott Mayhew <smayhew@redhat.com> wrote:
>
> On Fri, 18 Oct 2024, cel@kernel.org wrote:
>
>> From: Chuck Lever <chuck.lever@oracle.com>
>>
>> In preparation for testing NFSD in the cloud, where target nodes
>> might be exposed to the public internet, leave the firewall enabled
>> and permit NFS traffic.
>
> I'm assuming there's no need to open a port for statd because we're not
> doing any reboot testing with v3?
Actually I didn't realize there was a "[statd]" section in
nfs.conf, so I didn't think it would be easy to set a fixed
port value for statd. Let me see if it can be added.
--
Chuck Lever
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-10-19 18:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-18 20:54 [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node cel
2024-10-18 22:16 ` Scott Mayhew
2024-10-19 18:53 ` Chuck Lever III
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox