Merge pull request #1405 from liangxin1300/20240425_firewalld_issue

Fix: bootstrap: open corosync ports in firewalld

Author: liangxin1300

crmsh/bootstrap.py

@@ -59,8 +59,6 @@
 SYSCONFIG_SBD = "/etc/sysconfig/sbd"
 SYSCONFIG_PCMK = "/etc/sysconfig/pacemaker"
 SYSCONFIG_NFS = "/etc/sysconfig/nfs"
-SYSCONFIG_FW = "/etc/sysconfig/SuSEfirewall2"
-SYSCONFIG_FW_CLUSTER = "/etc/sysconfig/SuSEfirewall2.d/services/cluster"
 PCMK_REMOTE_AUTH = "/etc/pacemaker/authkey"
 COROSYNC_CONF_ORIG = tmpfiles.create()[1]
 SERVICES_STOP_LIST = ["corosync-qdevice.service", "corosync.service", "hawk.service", CSYNC2_SERVICE]
@@ -659,35 +657,6 @@ def configure_firewall(tcp=None, udp=None):
     if udp is None:
         udp = []
 
-    def init_firewall_suse(tcp, udp):
-        if os.path.exists(SYSCONFIG_FW_CLUSTER):
-            cluster = utils.parse_sysconfig(SYSCONFIG_FW_CLUSTER)
-            tcpcurr = set(cluster.get("TCP", "").split())
-            tcpcurr.update(tcp)
-            tcp = list(tcpcurr)
-            udpcurr = set(cluster.get("UDP", "").split())
-            udpcurr.update(udp)
-            udp = list(udpcurr)
-
-        utils.sysconfig_set(SYSCONFIG_FW_CLUSTER, TCP=" ".join(tcp), UDP=" ".join(udp))
-
-        ext = ""
-        if os.path.exists(SYSCONFIG_FW):
-            fw = utils.parse_sysconfig(SYSCONFIG_FW)
-            ext = fw.get("FW_CONFIGURATIONS_EXT", "")
-            if "cluster" not in ext.split():
-                ext = ext + " cluster"
-        utils.sysconfig_set(SYSCONFIG_FW, FW_CONFIGURATIONS_EXT=ext)
-
-        # No need to do anything else if the firewall is inactive
-        if not ServiceManager().service_is_active("SuSEfirewall2"):
-            return
-
-        # Firewall is active, either restart or complain if we couldn't tweak it
-        logger.info("Restarting firewall (tcp={}, udp={})".format(" ".join(tcp), " ".join(udp)))
-        if not invokerc("rcSuSEfirewall2 restart"):
-            utils.fatal("Failed to restart firewall (SuSEfirewall2)")
-
     def init_firewall_firewalld(tcp, udp):
         has_firewalld = ServiceManager().service_is_active("firewalld")
         cmdbase = 'firewall-cmd --zone=public --permanent ' if has_firewalld else 'firewall-offline-cmd --zone=public '
@@ -719,8 +688,6 @@ def init_firewall_ufw(tcp, udp):
 
     if utils.package_is_installed("firewalld"):
         init_firewall_firewalld(tcp, udp)
-    elif utils.package_is_installed("SuSEfirewall2"):
-        init_firewall_suse(tcp, udp)
     elif utils.package_is_installed("ufw"):
         init_firewall_ufw(tcp, udp)
 
@@ -729,7 +696,11 @@ def firewall_open_basic_ports():
     """
     Open ports for csync2, hawk & dlm respectively
     """
-    configure_firewall(tcp=["30865", "7630", "21064"])
+    configure_firewall(tcp=[
+        constants.CSYNC2_PORT,
+        constants.HAWK_PORT,
+        constants.DLM_PORT
+        ])
 
 
 def firewall_open_corosync_ports():
@@ -744,7 +715,7 @@ def firewall_open_corosync_ports():
     Also open QNetd/QDevice port if configured.
     """
     # all mcastports defined in corosync config
-    udp = corosync.get_values("totem.interface.mcastport")
+    udp = corosync.get_values("totem.interface.mcastport") or [constants.COROSYNC_PORT]
     udp.extend([str(int(p) - 1) for p in udp])
 
     tcp = corosync.get_values("totem.quorum.device.net.port")
@@ -757,8 +728,7 @@ def init_cluster_local():
     if ServiceManager().service_is_active("corosync.service"):
         utils.fatal("corosync service is running!")
 
-    # FIXME This is temporarily commentted out since issue from new corosync parser
-    #firewall_open_corosync_ports()
+    firewall_open_corosync_ports()
 
     # reset password, but only if it's not already set
     # (We still need the hacluster for the hawk).

crmsh/constants.py

@@ -520,4 +520,9 @@
 NON_FUNCTIONAL_COMMANDS = {'help', 'cd', 'ls', 'quit', 'up'}
 NON_FUNCTIONAL_OPTIONS = {'--help', '--help-without-redirect'}
 COROSYNC_STATUS_TYPES = ("ring", "quorum", "qdevice", "qnetd", "cpg")
+
+COROSYNC_PORT = 5405
+CSYNC2_PORT = 30865
+HAWK_PORT = 7630
+DLM_PORT = 21064
 # vim:ts=4:sw=4:et:

crmsh/crash_test/check.py

@@ -164,9 +164,6 @@ def check_port_open(task, firewall_type):
                 task.info("UDP port {} is opened in firewalld".format(p))
             else:
                 task.error("UDP port {} should open in firewalld".format(p))
-    elif firewall_type == "SuSEfirewall2":
-        #TODO
-        pass
 
 
 def check_firewall():
@@ -175,7 +172,7 @@ def check_firewall():
     """
     task_inst = task.TaskCheck("Checking firewall")
     with task_inst.run():
-        for item in ("firewalld", "SuSEfirewall2"):
+        for item in ("firewalld", ):
             if crmshutils.package_is_installed(item):
                 task_inst.info("{}.service is available".format(item))
                 if ServiceManager().service_is_active(item):

scripts/health/collect.py

@@ -79,9 +79,7 @@ def disk_info():
     '/etc/csync2/key_hagroup',
     '/etc/csync2/csync2.cfg',
     '/etc/corosync/corosync.conf',
-    '/etc/sysconfig/sbd',
-    '/etc/sysconfig/SuSEfirewall2',
-    '/etc/sysconfig/SuSEfirewall2.d/services/cluster'
+    '/etc/sysconfig/sbd'
     ]
 
 

test/unittests/test_crashtest_check.py

@@ -164,10 +164,7 @@ def test_check_firewall_not_intalled(self, mock_task, mock_installed):
         check.check_firewall()
 
         mock_task.assert_called_once_with("Checking firewall")
-        mock_installed.assert_has_calls([
-            mock.call("firewalld"),
-            mock.call("SuSEfirewall2")
-            ])
+        mock_installed.assert_called_once_with("firewalld")
         mock_task_inst.warn.assert_called_once_with("Failed to detect firewall")
 
     @mock.patch('crmsh.service_manager.ServiceManager.service_is_active')

utils/crm_init.py

@@ -9,14 +9,12 @@
             'fence-agents', 'gfs2', 'gfs2-utils', 'hawk', 'ocfs2',
             'ocfs2-tools', 'pacemaker', 'pacemaker-mgmt',
             'resource-agents', 'sbd']
-SERVICES = ['sshd', 'ntp', 'corosync', 'pacemaker', 'hawk', 'SuSEfirewall2_init']
+SERVICES = ['sshd', 'ntp', 'corosync', 'pacemaker', 'hawk']
 SSH_KEY = os.path.expanduser('~/.ssh/id_rsa')
 CSYNC2_KEY = '/etc/csync2/key_hagroup'
 CSYNC2_CFG = '/etc/csync2/csync2.cfg'
 COROSYNC_CONF = '/etc/corosync/corosync.conf'
 SYSCONFIG_SBD = '/etc/sysconfig/sbd'
-SYSCONFIG_FW = '/etc/sysconfig/SuSEfirewall2'
-SYSCONFIG_FW_CLUSTER = '/etc/sysconfig/SuSEfirewall2.d/services/cluster'
 
 
 def rpm_info():
@@ -85,8 +83,6 @@ def check(fn):
             'csync2_cfg': check(CSYNC2_CFG),
             'corosync_conf': check(COROSYNC_CONF),
             'sysconfig_sbd': check(SYSCONFIG_SBD),
-            'sysconfig_fw': check(SYSCONFIG_FW),
-            'sysconfig_fw_cluster': check(SYSCONFIG_FW_CLUSTER),
             }
 
 
@@ -206,46 +202,8 @@ def configure_firewall():
         rc, out, err = crm_script.call(['crm', 'corosync', 'get', 'totem.interface.mcastport'])
         if rc == 0:
             corosync_mcastport = out.strip()
-    FW = '/etc/sysconfig/SuSEfirewall2'
-    FW_CLUSTER = '/etc/sysconfig/SuSEfirewall2.d/services/cluster'
 
     tcp_ports = '30865 5560 7630 21064'
     udp_ports = '%s %s' % (corosync_mcastport, int(corosync_mcastport) - 1)
 
-    if is_service_enabled('SuSEfirewall2'):
-        if os.path.isfile(FW_CLUSTER):
-            tmpl = open(FW_CLUSTER).read()
-            tmpl = re.sub(r'^TCP="(.*)"', 'TCP="%s"' % (tcp_ports), tmpl, flags=re.M)
-            tmpl = re.sub(r'^UDP="(.*)"', 'UDP="%s"' % (udp_ports), tmpl, flags=re.M)
-            with open(FW_CLUSTER, 'w') as f:
-                f.write(tmpl)
-        elif os.path.isdir(os.path.dirname(FW_CLUSTER)):
-            with open(FW_CLUSTER, 'w') as fwc:
-                fwc.write(_SUSE_FW_TEMPLATE % {'tcp': tcp_ports,
-                                               'udp': udp_ports})
-        else:
-            # neither the cluster file nor the services
-            # directory exists
-            crm_script.exit_fail("SUSE firewall is configured but %s does not exist" %
-                                 os.path.dirname(FW_CLUSTER))
-
-        # add cluster to FW_CONFIGURATIONS_EXT
-        if os.path.isfile(FW):
-            txt = open(FW).read()
-            m = re.search(r'^FW_CONFIGURATIONS_EXT="(.*)"', txt, re.M)
-            if m:
-                services = m.group(1).split()
-                if 'cluster' not in services:
-                    services.append('cluster')
-                txt = re.sub(r'^FW_CONFIGURATIONS_EXT="(.*)"',
-                             r'FW_CONFIGURATIONS_EXT="%s"' % (' '.join(services)),
-                             txt,
-                             flags=re.M)
-            else:
-                txt += '\nFW_CONFIGURATIONS_EXT="cluster"'
-            with open(FW, 'w') as fw:
-                fw.write(txt)
-        if is_service_active('SuSEfirewall2'):
-            crm_script.service('SuSEfirewall2', 'restart')
-
     # TODO: other platforms