Hello Leon,
On 04/27/2017 11:27 AM, Leon Goldberg wrote:
Hey,
We're looking to start making use of firewalld in oVirt. I've gathered a
list of the missing services, and would like your take on which services
should be provided by firewalld and which should be provided by the
relevant 3rd parties.
If there are registered port numbers, that are used only for one purpose, then
it is simply possible to get a service added to firewalld upstream and into the
distributions. This also applies if a port is nowadays only used for this purpose.
If there are port numbers that are registered for other well known services and
therefore can collide with them or if the port numbers are about to change
soon, then I normally suggest to ship the service file within the project
itself. But this has the down side that the service file will only be available
if the project is installed.
If port numbers are always needed for a service and can therefore be grouped
together in project specific service files, then it is also possible to add
them. An example here is high-availability, RH-Satellite-6 or the freeipa
service files.
ovirt-imageio (tcp/54322, PR:
github.com/t-woerner/firewalld/pull/212/)
serial consoles (tcp/2223)
ovn host tunnels (udp/6081)
gluster swift (tcp/8080)
tcp/39543, tcp/55863 ("status") -- gluster ports
nlockmgr (udp/963, tcp/965)
ctdbd (tcp/4379)
nrpe (tcp/5666)
There seems to be only one registered port here that is used for the registered
service: ctdbd (tcp/4379)
Is it possible to group the needed port numbers together like for example in
the freeipa services?
Some of the ports aren't standardized and their name only serves
as an
indication to their use in oVirt; we'd like to know how to treat those as
well in your opinions.
This is also a good point to group them together in an ovirt service or several
ovirt-X services.
Thanks,
Leon
Regards,
Thomas