From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8394183CC9
	for <kdevops@lists.linux.dev>; Fri, 18 Oct 2024 22:16:26 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1729289789; cv=none; b=jUROi1jn3wC0mKCuMian8TioC15grRo9iVj1aVm8XcD89QP8Vwj9ufYANAVPcKDoGAHro1ar8pykmO/8tolUaTBmnM1Q+5kZUxQ7uNAjDDC98KOSyiJpFqbMpfgbzf3L7Fhj61NZVuPzXBS5P5hO49UWvL92K92yE/JGz5e3ubM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1729289789; c=relaxed/simple;
	bh=lL9Rs8FS7qj6BHCVVRNb5SzolNBGNrAgm6i86rdI+cM=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 In-Reply-To:Content-Type:Content-Disposition; b=a5uW39i3ZhfpoKY8IQtJRvpQzF/DNxwn381CrEzdmSgjKdsQ4Z5eXsYwQF9G1RXWeEs+Znqdu1/2+ncxNr4qiJmhlo24O3B6CZyFLi4CYFkw8MnEZYqaMZbTLcK1A4dlBhvmEq09OoMZCXUqiQqP+3diFYQ8lLsgCXFD/b4Er7Q=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=hz3/6TAt; arc=none smtp.client-ip=170.10.133.124
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="hz3/6TAt"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1729289785;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=50WZdsvYy1OeVDt/u8Zr5Y+LHIjzpAnQR6Ymtrbmymc=;
	b=hz3/6TAt5Q3EN0y7yFxQbzxaEwP12fcgqYnCqH2USZmsW8LfyVk9XKtfI6mHs9LnjG2Qmh
	LnL3Dkv4Ga6kBBfWOB3aDT9gizLROfF9x5YyUfdmJXSWMkO//y7BVWricPshDHkmEvybWX
	rFEx4o5NfpCEtzTz6V81Wg34WqqKH+s=
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-562-KeEBz1AfM8ex-0m3Pnw6YA-1; Fri,
 18 Oct 2024 18:16:22 -0400
X-MC-Unique: KeEBz1AfM8ex-0m3Pnw6YA-1
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 4A0F919560A3;
	Fri, 18 Oct 2024 22:16:21 +0000 (UTC)
Received: from aion.redhat.com (unknown [10.22.80.82])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id B82D219560A2;
	Fri, 18 Oct 2024 22:16:20 +0000 (UTC)
Received: by aion.redhat.com (Postfix, from userid 1000)
	id 18FB121BCFC; Fri, 18 Oct 2024 18:16:19 -0400 (EDT)
Date: Fri, 18 Oct 2024 18:16:19 -0400
From: Scott Mayhew <smayhew@redhat.com>
To: cel@kernel.org
Cc: kdevops@lists.linux.dev, Chuck Lever <chuck.lever@oracle.com>
Subject: Re: [RFC PATCH] nfsd: Refine the firewall settings on the -nfsd
 target node
Message-ID: <ZxLeM8AA0DkoPvLA@aion>
References: <20241018205446.1869501-1-cel@kernel.org>
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
In-Reply-To: <20241018205446.1869501-1-cel@kernel.org>
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, 18 Oct 2024, cel@kernel.org wrote:

> From: Chuck Lever <chuck.lever@oracle.com>
> 
> In preparation for testing NFSD in the cloud, where target nodes
> might be exposed to the public internet, leave the firewall enabled
> and permit NFS traffic.

I'm assuming there's no need to open a port for statd because we're not
doing any reboot testing with v3?

> 
> The documentation for the ansible.posix.firewalld module states "Not
> tested on any Debian based system." For now, Debian-based target
> nodes still simply disable firewalld.
> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
>  .../roles/nfsd/tasks/firewall/debian/main.yml | 11 ++++
>  .../roles/nfsd/tasks/firewall/redhat/main.yml | 65 +++++++++++++++++++
>  .../roles/nfsd/tasks/firewall/suse/main.yml   | 65 +++++++++++++++++++
>  playbooks/roles/nfsd/tasks/main.yml           | 20 +++---
>  playbooks/roles/nfsd/templates/nfs.conf.j2    |  3 +
>  playbooks/roles/nfsd/vars/RedHat.yml          |  2 +
>  6 files changed, 156 insertions(+), 10 deletions(-)
>  create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml
>  create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
>  create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> 
> I have tested this change with Fedora on libvirt, and RHEL 9.4 on
> AWS.
> 
> I haven't tested these changes with SuSE-based target nodes. It
> looks like the menu option to select SuSE on the target nodes has
> disappeared.
> 
> 
> diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> new file mode 100644
> index 000000000000..0ba5272812a6
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
> @@ -0,0 +1,11 @@
> +---
> +- name: Populate service facts
> +  ansible.builtin.service_facts:
> +
> +- name: Turn off firewalld
> +  become: true
> +  ansible.builtin.systemd_service:
> +    name: firewalld.service
> +    enabled: false
> +    state: stopped
> +  when: '"firewalld.service" in ansible_facts.services'
> diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> new file mode 100644
> index 000000000000..39fab7773d09
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
> @@ -0,0 +1,65 @@
> +---
> +- name: Populate service facts
> +  ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> +  become: true
> +  ansible.builtin.systemd_service:
> +    name: firewalld.service
> +    enabled: true
> +    state: started
> +  when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    service: rpc-bind
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the NFS service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    service: nfs
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 4045/tcp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 4045/udp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 20048/tcp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 20048/udp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> new file mode 100644
> index 000000000000..39fab7773d09
> --- /dev/null
> +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
> @@ -0,0 +1,65 @@
> +---
> +- name: Populate service facts
> +  ansible.builtin.service_facts:
> +
> +- name: Turn on firewalld
> +  become: true
> +  ansible.builtin.systemd_service:
> +    name: firewalld.service
> +    enabled: true
> +    state: started
> +  when: '"firewalld.service" in ansible_facts.services'
> +
> +- name: Open the rpcbind service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    service: rpc-bind
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the NFS service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    service: nfs
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the NLM TCP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 4045/tcp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the NLM UDP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 4045/udp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the MNT TCP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 20048/tcp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> +
> +- name: Open the MNT UDP service port in firewalld
> +  become: true
> +  become_method: ansible.builtin.sudo
> +  ansible.posix.firewalld:
> +    port: 20048/udp
> +    permanent: true
> +    immediate: true
> +    state: enabled
> diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml
> index 63388f857627..5f944708b2ec 100644
> --- a/playbooks/roles/nfsd/tasks/main.yml
> +++ b/playbooks/roles/nfsd/tasks/main.yml
> @@ -106,17 +106,17 @@
>      state: present
>    when: selinux_status.rc == 0
>  
> -# FIXME: open ports instead
> -- name: Populate service facts
> -  service_facts:
> +- name: Open ports in NFS server's firewall (Debian)
> +  ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml
> +  when: ansible_os_family == 'Debian'
>  
> -- name: Turn off firewalld
> -  become: yes
> -  ansible.builtin.systemd_service:
> -    name: firewalld.service
> -    enabled: false
> -    state: stopped
> -  when: '"firewalld.service" in ansible_facts.services'
> +- name: Open ports in NFS server's firewall (Suse)
> +  ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml
> +  when: ansible_os_family == 'Suse'
> +
> +- name: Open ports in NFS server's firewall (Red Hat)
> +  ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml
> +  when: ansible_os_family == 'RedHat'
>  
>  - name: Start up nfsd
>    become: yes
> diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
> index a5f4a714ec34..e319f9246904 100644
> --- a/playbooks/roles/nfsd/templates/nfs.conf.j2
> +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
> @@ -1,6 +1,9 @@
>  [general]
>  pipefs-directory={{ pipefs_directory }}
>  
> +[lockd]
> +port=4045
> +
>  [nfsd]
>  udp=y
>  rdma=y
> diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
> index 091c827c777d..ccffdcc4fdd9 100644
> --- a/playbooks/roles/nfsd/vars/RedHat.yml
> +++ b/playbooks/roles/nfsd/vars/RedHat.yml
> @@ -1,9 +1,11 @@
>  ---
>  nfsd_packages:
>    - checkpolicy
> +  - firewalld
>    - lvm2
>    - nfs-utils
>    - policycoreutils
> +  - python3-firewall
>    - python3-policycoreutils
>  
>  fstype_userspace_progs:
> -- 
> 2.46.1
> 
>