-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/04/2014 07:36 AM, Thomas Woerner wrote:
On 07/03/2014 09:32 PM, Stef Walter wrote:
> On 03.07.2014 15:39, Rex Dieter wrote:
>> I'm looking into providing a predefined firewalld service
>> definition for kde-connect, per
>>
https://bugzilla.redhat.com/show_bug.cgi?id=1115547
>>
>> Looks like it's as easy as dropping an xml snippet into
>> /usr/lib/firewalld/services/
>>
>> I'm also noticing currently that the only package besides
>> fallwalld itself doing this is cockpit, which includes a %post
>> scriptlet:
>>
>> # firewalld only partially picks up changes to its services
>> files # without this test -f %{_bindir}/firewall-cmd &&
>> firewall-cmd --reload --quiet || true
>>
>>
>> Is this the recommended approach? If so, I'll follow this
>> lead, and maybe start work on drafting some packaging
>> guidelines.
>
> Thomas Woerner would be the one to work out those guidelines.
>
Yes.
> But to explain ... apparently there are two firewalld
> "environments". When you install a service file it only affects
> the installed environment (used after a reboot) and not the
> current "runtime environment".
>
> This means that a user can't immediately use your service
> definition in a command like:
>
> $ firewall-cmd --add-service=cockpit
>
> The command:
>
> $ firewall-cmd --reload
>
> ... makes newly installed service files available in the runtime
> environment. I guess this is sorta analogous to 'systemctl
> daemon-reload'.
>
Newly added services and zones are available in the permanent
environment of firewalld, where they can be used with the UI and
command line tools.
To have a newly added service or zone in the runtime environment it
is needed to reload firewalld: firewall-cmd --reload or systemctl
reload firewalld.service.
Thomas, the real question here is this: If a package wants to install
(and maintain) its own set of firewalld service definitions, is the
approach Stef took the best one? If so, we should submit a Packaging
Guidelines edit to the FPC and get this codified where others can find it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlO6mLwACgkQeiVVYja6o6MnWgCfT9Nle/gfxrmsBu13mIS03f4J
n+sAn2oMz8nlbBukQ1Y+/R9VkrKV9JO7
=9yrD
-----END PGP SIGNATURE-----