From: Scott Mayhew <smayhew@redhat.com>
To: cel@kernel.org
Cc: kdevops@lists.linux.dev, Chuck Lever <chuck.lever@oracle.com>
Subject: Re: [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node
Date: Fri, 18 Oct 2024 18:16:19 -0400 [thread overview]
Message-ID: <ZxLeM8AA0DkoPvLA@aion> (raw)
In-Reply-To: <20241018205446.1869501-1-cel@kernel.org>
On Fri, 18 Oct 2024, cel@kernel.org wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
>
> In preparation for testing NFSD in the cloud, where target nodes
> might be exposed to the public internet, leave the firewall enabled
> and permit NFS traffic.
I'm assuming there's no need to open a port for statd because we're not
doing any reboot testing with v3?
>
> The documentation for the ansible.posix.firewalld module states "Not
> tested on any Debian based system." For now, Debian-based target
> nodes still simply disable firewalld.
>
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> .../roles/nfsd/tasks/firewall/debian/main.yml | 11 ++++
> .../roles/nfsd/tasks/firewall/redhat/main.yml | 65 +++++++++++++++++++
> .../roles/nfsd/tasks/firewall/suse/main.yml | 65 +++++++++++++++++++
> playbooks/roles/nfsd/tasks/main.yml | 20 +++---
> playbooks/roles/nfsd/templates/nfs.conf.j2 | 3 +
> playbooks/roles/nfsd/vars/RedHat.yml | 2 +
> 6 files changed, 156 insertions(+), 10 deletions(-)
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml
>
> I have tested this change with Fedora on libvirt, and RHEL 9.4 on
> AWS.
>
> I haven't tested these changes with SuSE-based target nodes. It
> looks like the menu option to select SuSE on the target nodes has
> disappeared.
>
>
> diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> new file mode 100644
> index 000000000000..0ba5272812a6
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> @@ -0,0 +1,11 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn off firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: false
> + state: stopped
> + when: '"firewalld.service" in ansible_facts.services'
> diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> new file mode 100644
> index 000000000000..39fab7773d09
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> @@ -0,0 +1,65 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: true
> + state: started
> + when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: rpc-bind
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: nfs
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/udp
> + permanent: true
> + immediate: true
> + state: enabled
> diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> new file mode 100644
> index 000000000000..39fab7773d09
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> @@ -0,0 +1,65 @@
> +---
> +- name: Populate service facts
> + ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> + become: true
> + ansible.builtin.systemd_service:
> + name: firewalld.service
> + enabled: true
> + state: started
> + when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: rpc-bind
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NFS service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + service: nfs
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 4045/udp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/tcp
> + permanent: true
> + immediate: true
> + state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> + become: true
> + become_method: ansible.builtin.sudo
> + ansible.posix.firewalld:
> + port: 20048/udp
> + permanent: true
> + immediate: true
> + state: enabled
> diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml
> index 63388f857627..5f944708b2ec 100644
> --- a/playbooks/roles/nfsd/tasks/main.yml
> +++ b/playbooks/roles/nfsd/tasks/main.yml
> @@ -106,17 +106,17 @@
> state: present
> when: selinux_status.rc == 0
>
> -# FIXME: open ports instead
> -- name: Populate service facts
> - service_facts:
> +- name: Open ports in NFS server's firewall (Debian)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml
> + when: ansible_os_family == 'Debian'
>
> -- name: Turn off firewalld
> - become: yes
> - ansible.builtin.systemd_service:
> - name: firewalld.service
> - enabled: false
> - state: stopped
> - when: '"firewalld.service" in ansible_facts.services'
> +- name: Open ports in NFS server's firewall (Suse)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml
> + when: ansible_os_family == 'Suse'
> +
> +- name: Open ports in NFS server's firewall (Red Hat)
> + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml
> + when: ansible_os_family == 'RedHat'
>
> - name: Start up nfsd
> become: yes
> diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
> index a5f4a714ec34..e319f9246904 100644
> --- a/playbooks/roles/nfsd/templates/nfs.conf.j2
> +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
> @@ -1,6 +1,9 @@
> [general]
> pipefs-directory={{ pipefs_directory }}
>
> +[lockd]
> +port=4045
> +
> [nfsd]
> udp=y
> rdma=y
> diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
> index 091c827c777d..ccffdcc4fdd9 100644
> --- a/playbooks/roles/nfsd/vars/RedHat.yml
> +++ b/playbooks/roles/nfsd/vars/RedHat.yml
> @@ -1,9 +1,11 @@
> ---
> nfsd_packages:
> - checkpolicy
> + - firewalld
> - lvm2
> - nfs-utils
> - policycoreutils
> + - python3-firewall
> - python3-policycoreutils
>
> fstype_userspace_progs:
> --
> 2.46.1
>
>
next prev parent reply other threads:[~2024-10-18 22:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-18 20:54 [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd target node cel
2024-10-18 22:16 ` Scott Mayhew [this message]
2024-10-19 18:53 ` Chuck Lever III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZxLeM8AA0DkoPvLA@aion \
--to=smayhew@redhat.com \
--cc=cel@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=kdevops@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox