Open whowutwut opened 4 years ago
Hi @whowutwut! I'm working my way through some of the older issues and found this one...
I'd argue that adjusting the firewall config in every possible deployment scenario is a complex endeavor. I would claim that it's outside of the scope of this project to deal with the exact configuration steps necessary in a given scenario. Some might be relying on firewall-cmd
, others might deploy old-fashioned iptables
, just to name two RHEL examples...
Hence, I'd say that we provide a very generic (maybe crude) way to open the required ports, and that is by simply disabling firewalld alltogether. If users need something more fine-grained then they'd need to define their own tasks for doing so. What do you think?
The documentation has the following (here):
- scale_prepare_disable_firewall
- example: true
- default: false
Whether or not to disable Linux firewalld - if you need to keep firewalld active then change this variable to false and apply your custom firewall rules prior to running this role (e.g. as pre_tasks).
Do you agree?
My lazy solution has beeen to assume that all members in the cluster is a unit — if you can hack one, you can hack all — then a firewall opening up for ANY from clustermember to clustermember is a good policy.
I typically then install a firewalld policy like this for each host on all hosts:
firewalld-cmd -–zone=public -–add-rich-rule=‘rule family="ipv4" source address=173.16.94.12/32 accept’
I don't think this should be too difficult to solve for both iptables and firewalld, but firewalld is nicest.. and I think it's probably time to drop plain iptables. All major distros support firewalld -- and RHEL8 have now changed to nft backend for firewalld, so I guess customers will be forced to do something (learn firewalld, or nft).
We could define a "service" for each set of services:
firewall-cmd --permanent --new-service=gpfs-daemon
firewall-cmd --permanent --service=gpfs-daemon --set-description="Spectrum Scale daemon"
firewall-cmd --permanent --service=gpfs-daemon --set-short="mmfsd"
firewall-cmd --permanent --service=gpfs-daemon --add-port=1191/tcp
firewall-cmd --permanent --new-service=gpfs-rpc
firewall-cmd --permanent --service=gpfs-rpc --set-description="Spectrum Scale RPC"
firewall-cmd --permanent --service=gpfs-rpc --add-port=60000-61000/tcp
and similar for pmcollector:
firewall-cmd --permanent --new-service=gpfs-perfmon
firewall-cmd --permanent --service=gpfs-perfmonl --set-description="Spectrum Scale performance monitoring"
firewall-cmd --permanent --service=gpfs-perfmon --set-short="perfmon"
firewall-cmd --permanent --service=gpfs-perfmon --add-port=4739/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=4739/udp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8123/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8124/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8125/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8126/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=8127/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=9084/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=9085/tcp
firewall-cmd --permanent --service=gpfs-perfmon --add-port=9094/tcp
and each of the sets of functions we have documented in the KC.. Then define an ipset containing all our cluster nodes:
# firewall-cmd --permanent --new-ipset=scalecluster --type=hash:net
# firewall-cmd --permanent --ipset=scalecluster --add-entry=10.11.36.173
# firewall-cmd --permanent --ipset=scalecluster --add-entry=10.11.37.77
# firewall-cmd --permanent --ipset=scalecluster --add-entry=10.11.37.86
and a zone for this:
# firewall-cmd --permanent --new-zone=clusterinternal
# firewall-cmd --permanent --zone=clusterinternal --add-source=ipset:scalecluster
# firewall-cmd --permanent --zone=clusterinternal --add-service=ssh
# firewall-cmd --permanent --zone=clusterinternal --add-service=gpfs-daemon
# firewall-cmd --permanent --zone=clusterinternal --add-service=gpfs-rpc
# firewall-cmd --permanent --zone=clusterinternal --add-service=gpfs-perfmon
This should be a quite static configuration for the firewall rules, as only the ipset needs to be modified whenever nodes are added and removed. Also I think it should be easy enough to implement the same with iptables if required..
Small set of rules, identical on all nodes. Only ipset needs to be modified. Should also have different zones for CES, frontend webui, remote clusters.
Any comments will be most appreciated.
Added automatically adding addresses to ipset in https://github.com/janfrode/ibm-spectrum-scale-install-infra/commit/f25ab2d57e27e054a1de6171e1aa6833911c8186
The task of disabling the firewall should not be what we do, instead, keep the firewall running if it's there and open up the correct ports required for Scale to function