search

IBM / ibm-spectrum-scale-install-infra

Spectrum Scale Installation and Configuration
Apache License 2.0
64 stars 67 forks source link

Disabling firewalld should not be the goto method, instead open up the necessary ports on firewall #12

Open whowutwut opened 4 years ago

whowutwut commented 4 years ago

The task of disabling the firewall should not be what we do, instead, keep the firewall running if it's there and open up the correct ports required for Scale to function

acch commented 3 years ago

Hi @whowutwut! I'm working my way through some of the older issues and found this one...

I'd argue that adjusting the firewall config in every possible deployment scenario is a complex endeavor. I would claim that it's outside of the scope of this project to deal with the exact configuration steps necessary in a given scenario. Some might be relying on firewall-cmd, others might deploy old-fashioned iptables, just to name two RHEL examples...

Hence, I'd say that we provide a very generic (maybe crude) way to open the required ports, and that is by simply disabling firewalld alltogether. If users need something more fine-grained then they'd need to define their own tasks for doing so. What do you think?

The documentation has the following (here):

- scale_prepare_disable_firewall
  - example: true
  - default: false

  Whether or not to disable Linux firewalld - if you need to keep firewalld active then change this variable to false and apply your custom firewall rules prior to running this role (e.g. as pre_tasks).

Do you agree?

janfrode commented 3 years ago

My lazy solution has beeen to assume that all members in the cluster is a unit — if you can hack one, you can hack all — then a firewall opening up for ANY from clustermember to clustermember is a good policy.

I typically then install a firewalld policy like this for each host on all hosts:

firewalld-cmd -–zone=public -–add-rich-rule=‘rule family="ipv4" source address=173.16.94.12/32 accept’

janfrode commented 3 years ago

I don't think this should be too difficult to solve for both iptables and firewalld, but firewalld is nicest.. and I think it's probably time to drop plain iptables. All major distros support firewalld -- and RHEL8 have now changed to nft backend for firewalld, so I guess customers will be forced to do something (learn firewalld, or nft).

We could define a "service" for each set of services:

firewall-cmd --permanent --new-service=gpfs-daemon
firewall-cmd --permanent --service=gpfs-daemon --set-description="Spectrum Scale daemon"
firewall-cmd --permanent --service=gpfs-daemon --set-short="mmfsd"
firewall-cmd --permanent --service=gpfs-daemon --add-port=1191/tcp

firewall-cmd --permanent --new-service=gpfs-rpc
firewall-cmd --permanent --service=gpfs-rpc --set-description="Spectrum Scale RPC"
firewall-cmd --permanent --service=gpfs-rpc --add-port=60000-61000/tcp

and similar for pmcollector:

firewall-cmd --permanent --new-service=gpfs-perfmon
firewall-cmd --permanent --service=gpfs-perfmonl --set-description="Spectrum Scale performance monitoring"
firewall-cmd --permanent --service=gpfs-perfmon --set-short="perfmon"
firewall-cmd --permanent --service=gpfs-perfmon --add-port=4739/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=4739/udp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8123/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8124/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8125/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8126/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8127/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=9084/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=9085/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=9094/tcp

and each of the sets of functions we have documented in the KC.. Then define an ipset containing all our cluster nodes:

# firewall-cmd --permanent --new-ipset=scalecluster --type=hash:net
# firewall-cmd --permanent --ipset=scalecluster --add-entry=10.11.36.173
# firewall-cmd --permanent --ipset=scalecluster --add-entry=10.11.37.77
# firewall-cmd --permanent --ipset=scalecluster --add-entry=10.11.37.86

and a zone for this:

# firewall-cmd --permanent --new-zone=clusterinternal
# firewall-cmd --permanent --zone=clusterinternal --add-source=ipset:scalecluster
# firewall-cmd --permanent --zone=clusterinternal --add-service=ssh
# firewall-cmd --permanent --zone=clusterinternal --add-service=gpfs-daemon
# firewall-cmd --permanent --zone=clusterinternal --add-service=gpfs-rpc
# firewall-cmd --permanent --zone=clusterinternal --add-service=gpfs-perfmon

This should be a quite static configuration for the firewall rules, as only the ipset needs to be modified whenever nodes are added and removed. Also I think it should be easy enough to implement the same with iptables if required..

Small set of rules, identical on all nodes. Only ipset needs to be modified. Should also have different zones for CES, frontend webui, remote clusters.

janfrode commented 3 years ago

So here's s first try:

https://github.com/janfrode/ibm-spectrum-scale-install-infra/commit/e6435c5c5101f432b3367d55d856fe292d1d050a

Any comments will be most appreciated.

janfrode commented 3 years ago

Added automatically adding addresses to ipset in https://github.com/janfrode/ibm-spectrum-scale-install-infra/commit/f25ab2d57e27e054a1de6171e1aa6833911c8186