| Message ID | 20241018205446.1869501-1-cel@kernel.org (mailing list archive) |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [RFC] nfsd: Refine the firewall settings on the -nfsd target node | expand |
On Fri, 18 Oct 2024, cel@kernel.org wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > In preparation for testing NFSD in the cloud, where target nodes > might be exposed to the public internet, leave the firewall enabled > and permit NFS traffic. I'm assuming there's no need to open a port for statd because we're not doing any reboot testing with v3? > > The documentation for the ansible.posix.firewalld module states "Not > tested on any Debian based system." For now, Debian-based target > nodes still simply disable firewalld. > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > --- > .../roles/nfsd/tasks/firewall/debian/main.yml | 11 ++++ > .../roles/nfsd/tasks/firewall/redhat/main.yml | 65 +++++++++++++++++++ > .../roles/nfsd/tasks/firewall/suse/main.yml | 65 +++++++++++++++++++ > playbooks/roles/nfsd/tasks/main.yml | 20 +++--- > playbooks/roles/nfsd/templates/nfs.conf.j2 | 3 + > playbooks/roles/nfsd/vars/RedHat.yml | 2 + > 6 files changed, 156 insertions(+), 10 deletions(-) > create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml > create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml > create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml > > I have tested this change with Fedora on libvirt, and RHEL 9.4 on > AWS. > > I haven't tested these changes with SuSE-based target nodes. It > looks like the menu option to select SuSE on the target nodes has > disappeared. > > > diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml > new file mode 100644 > index 000000000000..0ba5272812a6 > --- /dev/null > +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml > @@ -0,0 +1,11 @@ > +--- > +- name: Populate service facts > + ansible.builtin.service_facts: > + > +- name: Turn off firewalld > + become: true > + ansible.builtin.systemd_service: > + name: firewalld.service > + enabled: false > + state: stopped > + when: '"firewalld.service" in ansible_facts.services' > diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml > new file mode 100644 > index 000000000000..39fab7773d09 > --- /dev/null > +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml > @@ -0,0 +1,65 @@ > +--- > +- name: Populate service facts > + ansible.builtin.service_facts: > + > +- name: Turn on firewalld > + become: true > + ansible.builtin.systemd_service: > + name: firewalld.service > + enabled: true > + state: started > + when: '"firewalld.service" in ansible_facts.services' > + > +- name: Open the rpcbind service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: rpc-bind > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NFS service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: nfs > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/udp > + permanent: true > + immediate: true > + state: enabled > diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml > new file mode 100644 > index 000000000000..39fab7773d09 > --- /dev/null > +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml > @@ -0,0 +1,65 @@ > +--- > +- name: Populate service facts > + ansible.builtin.service_facts: > + > +- name: Turn on firewalld > + become: true > + ansible.builtin.systemd_service: > + name: firewalld.service > + enabled: true > + state: started > + when: '"firewalld.service" in ansible_facts.services' > + > +- name: Open the rpcbind service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: rpc-bind > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NFS service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: nfs > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/udp > + permanent: true > + immediate: true > + state: enabled > diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml > index 63388f857627..5f944708b2ec 100644 > --- a/playbooks/roles/nfsd/tasks/main.yml > +++ b/playbooks/roles/nfsd/tasks/main.yml > @@ -106,17 +106,17 @@ > state: present > when: selinux_status.rc == 0 > > -# FIXME: open ports instead > -- name: Populate service facts > - service_facts: > +- name: Open ports in NFS server's firewall (Debian) > + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml > + when: ansible_os_family == 'Debian' > > -- name: Turn off firewalld > - become: yes > - ansible.builtin.systemd_service: > - name: firewalld.service > - enabled: false > - state: stopped > - when: '"firewalld.service" in ansible_facts.services' > +- name: Open ports in NFS server's firewall (Suse) > + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml > + when: ansible_os_family == 'Suse' > + > +- name: Open ports in NFS server's firewall (Red Hat) > + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml > + when: ansible_os_family == 'RedHat' > > - name: Start up nfsd > become: yes > diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2 > index a5f4a714ec34..e319f9246904 100644 > --- a/playbooks/roles/nfsd/templates/nfs.conf.j2 > +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2 > @@ -1,6 +1,9 @@ > [general] > pipefs-directory={{ pipefs_directory }} > > +[lockd] > +port=4045 > + > [nfsd] > udp=y > rdma=y > diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml > index 091c827c777d..ccffdcc4fdd9 100644 > --- a/playbooks/roles/nfsd/vars/RedHat.yml > +++ b/playbooks/roles/nfsd/vars/RedHat.yml > @@ -1,9 +1,11 @@ > --- > nfsd_packages: > - checkpolicy > + - firewalld > - lvm2 > - nfs-utils > - policycoreutils > + - python3-firewall > - python3-policycoreutils > > fstype_userspace_progs: > -- > 2.46.1 > >
> On Oct 18, 2024, at 6:16 PM, Scott Mayhew <smayhew@redhat.com> wrote: > > On Fri, 18 Oct 2024, cel@kernel.org wrote: > >> From: Chuck Lever <chuck.lever@oracle.com> >> >> In preparation for testing NFSD in the cloud, where target nodes >> might be exposed to the public internet, leave the firewall enabled >> and permit NFS traffic. > > I'm assuming there's no need to open a port for statd because we're not > doing any reboot testing with v3? Actually I didn't realize there was a "[statd]" section in nfs.conf, so I didn't think it would be easy to set a fixed port value for statd. Let me see if it can be added. -- Chuck Lever
diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml new file mode 100644 index 000000000000..0ba5272812a6 --- /dev/null +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml @@ -0,0 +1,11 @@ +--- +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Turn off firewalld + become: true + ansible.builtin.systemd_service: + name: firewalld.service + enabled: false + state: stopped + when: '"firewalld.service" in ansible_facts.services' diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml new file mode 100644 index 000000000000..39fab7773d09 --- /dev/null +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml @@ -0,0 +1,65 @@ +--- +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Turn on firewalld + become: true + ansible.builtin.systemd_service: + name: firewalld.service + enabled: true + state: started + when: '"firewalld.service" in ansible_facts.services' + +- name: Open the rpcbind service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: rpc-bind + permanent: true + immediate: true + state: enabled + +- name: Open the NFS service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: nfs + permanent: true + immediate: true + state: enabled + +- name: Open the NLM TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the NLM UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/udp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/udp + permanent: true + immediate: true + state: enabled diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml new file mode 100644 index 000000000000..39fab7773d09 --- /dev/null +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml @@ -0,0 +1,65 @@ +--- +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Turn on firewalld + become: true + ansible.builtin.systemd_service: + name: firewalld.service + enabled: true + state: started + when: '"firewalld.service" in ansible_facts.services' + +- name: Open the rpcbind service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: rpc-bind + permanent: true + immediate: true + state: enabled + +- name: Open the NFS service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: nfs + permanent: true + immediate: true + state: enabled + +- name: Open the NLM TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the NLM UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/udp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/udp + permanent: true + immediate: true + state: enabled diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml index 63388f857627..5f944708b2ec 100644 --- a/playbooks/roles/nfsd/tasks/main.yml +++ b/playbooks/roles/nfsd/tasks/main.yml @@ -106,17 +106,17 @@ state: present when: selinux_status.rc == 0 -# FIXME: open ports instead -- name: Populate service facts - service_facts: +- name: Open ports in NFS server's firewall (Debian) + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml + when: ansible_os_family == 'Debian' -- name: Turn off firewalld - become: yes - ansible.builtin.systemd_service: - name: firewalld.service - enabled: false - state: stopped - when: '"firewalld.service" in ansible_facts.services' +- name: Open ports in NFS server's firewall (Suse) + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml + when: ansible_os_family == 'Suse' + +- name: Open ports in NFS server's firewall (Red Hat) + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml + when: ansible_os_family == 'RedHat' - name: Start up nfsd become: yes diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2 index a5f4a714ec34..e319f9246904 100644 --- a/playbooks/roles/nfsd/templates/nfs.conf.j2 +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2 @@ -1,6 +1,9 @@ [general] pipefs-directory={{ pipefs_directory }} +[lockd] +port=4045 + [nfsd] udp=y rdma=y diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml index 091c827c777d..ccffdcc4fdd9 100644 --- a/playbooks/roles/nfsd/vars/RedHat.yml +++ b/playbooks/roles/nfsd/vars/RedHat.yml @@ -1,9 +1,11 @@ --- nfsd_packages: - checkpolicy + - firewalld - lvm2 - nfs-utils - policycoreutils + - python3-firewall - python3-policycoreutils fstype_userspace_progs: