defining firewalld services

Stephen Gallagher sgallagh at redhat.com
Mon Jul 7 17:44:00 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/07/2014 01:03 PM, Thomas Woerner wrote:
> On 07/07/2014 02:55 PM, Stephen Gallagher wrote: On 07/04/2014
> 07:36 AM, Thomas Woerner wrote:
>>>> On 07/03/2014 09:32 PM, Stef Walter wrote:
>>>>> On 03.07.2014 15:39, Rex Dieter wrote:
>>>>>> I'm looking into providing a predefined firewalld
>>>>>> service definition for kde-connect, per 
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1115547
>>>>>> 
>>>>>> Looks like it's as easy as dropping an xml snippet into 
>>>>>> /usr/lib/firewalld/services/
>>>>>> 
>>>>>> I'm also noticing currently that the only package
>>>>>> besides fallwalld itself doing this is cockpit, which
>>>>>> includes a %post scriptlet:
>>>>>> 
>>>>>> # firewalld only partially picks up changes to its
>>>>>> services files # without this test -f
>>>>>> %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet
>>>>>> || true
>>>>>> 
>>>>>> 
>>>>>> Is this the recommended approach?  If so, I'll follow
>>>>>> this lead, and maybe start work on drafting some
>>>>>> packaging guidelines.
>>>>> 
>>>>> Thomas Woerner would be the one to work out those
>>>>> guidelines.
>>>>> 
>>>> Yes.
>>>> 
>>>>> But to explain ... apparently there are two firewalld 
>>>>> "environments". When you install a service file it only
>>>>> affects the installed environment (used after a reboot) and
>>>>> not the current "runtime environment".
>>>>> 
>>>>> This means that a user can't immediately use your service 
>>>>> definition in a command like:
>>>>> 
>>>>> $ firewall-cmd --add-service=cockpit
>>>>> 
>>>>> The command:
>>>>> 
>>>>> $ firewall-cmd --reload
>>>>> 
>>>>> ... makes newly installed service files available in the
>>>>> runtime environment. I guess this is sorta analogous to
>>>>> 'systemctl daemon-reload'.
>>>>> 
>>>> Newly added services and zones are available in the
>>>> permanent environment of firewalld, where they can be used
>>>> with the UI and command line tools.
>>>> 
>>>> To have a newly added service or zone in the runtime
>>>> environment it is needed to reload firewalld: firewall-cmd
>>>> --reload or systemctl reload firewalld.service.
>>>> 
> 
> 
> Thomas, the real question here is this: If a package wants to
> install (and maintain) its own set of firewalld service
> definitions, is the approach Stef took the best one? If so, we
> should submit a Packaging Guidelines edit to the FPC and get this
> codified where others can find it.
> 
>> Yes, this is the best approach right now.
> 
>> I can write some documentatoin for this. What is the proper way
>> to get it in the Packaging guidelines?
> 




Create a draft with an example on the Wiki and then send an email to
packaging at lists.fedoraproject.org to ask them to review it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlO63GAACgkQeiVVYja6o6OF9QCffdDLUE2dUtaQU7vQjGVvVZsx
xKQAoIaUi5ym7iRpxF4eBkx16BqGCrqn
=xVgQ
-----END PGP SIGNATURE-----

More information about the devel mailing list