search

baruwaproject / baruwa2

Baruwa 2.0
http://www.baruwa.org
GNU General Public License v3.0
21 stars 9 forks source link

[bug] Firewall port 5432 not opened in iptables when installing the 'Database' role #83

Closed rmoesbergen closed 8 years ago

rmoesbergen commented 8 years ago

I just installed a system with the 'database' role (so only postgres + pgbouncer), however, port 5432 is not opened in the firewall by baruwa-setup. This prevents frontend systems from connecting to the database. I can open it manually ofcourse, but i would expect baruwa-setup should do that for me.

rmoesbergen commented 8 years ago

Same goes for the MQ/Cache/Index roles

akissa commented 8 years ago
  1. Which ISO are you using ?
  2. What is the output of the following command ? cat /etc/baruwa-profile
rmoesbergen commented 8 years ago

$ cat /etc/baruwa-profile cat: /etc/baruwa-profile: No such file or directory

The profile I chose in baruwa-setup is 'Database'

I've run a 'yum update' before starting baruwa-setup. I've used ISO version 6.7.4.

akissa commented 8 years ago

What is the output of grep firewall anaconda-ks.cfg

rmoesbergen commented 8 years ago

in /root: $ grep firewall anaconda-ks.cfg firewall --service=ssh

akissa commented 8 years ago

That means you did not install using the database profile. You probabely installed in expert mode. https://www.baruwa.com/docs/installation/install.html#boot-menu

akissa commented 8 years ago

If you install using the database profile you will have the ports opened as follows firewall --service=ssh --port=postgres:tcp --port=5666:tcp --port=161:udp

rmoesbergen commented 8 years ago

I did not install through the ISO boot-menu, if that's what you mean by 'expert mode'. We have a template that we clone to a new VM, then start baruwa-setup and choose 'Database' as the profile. Would be nice / expected if salt opened the firewall ports as well.

akissa commented 8 years ago

I think you should make 5 templates for each of the profiles. The correct work flow in baruwa is to use the correct profile when doing the base install and then baruwa-setup just does the configuration. The correct install profile does a couple of important things.

  1. Sets up the correct software for the specific type of profile
  2. Sets up the correct firewalling rules for the specific type of profile.

If the correct profile is not used for the initial setup, you will run into 2 issues of the top of my head.

  1. Marooned software, software that is installed and cannot be updated. If you install a standalone system and configure it as a database you will have software on the system what is not being used and also cannot be updated with bugfixes and security patches. Why ? Because the front end systems and backend systems do not use the same repo. Some software in the front end repo is not available in the backend repo.
  2. The firewall will not be setup correctly, which is the issue you have run into.
rmoesbergen commented 8 years ago

Ok, good to know. I think we're ok regarding point 1 since our template is the 'expert' install, with no additional software installed (not even activated). We'll work around the firewall issue (add the rules in our deploy script)

akissa commented 8 years ago

Okay no problem, as an FYI, you can see the various profiles under the ks/ directory on the DVD.

Closing this issue.