On 6 March 2014 15:12, Stephen Gallagher <sgallagh@redhat.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/06/2014 05:06 PM, Stephen John Smoogen wrote:
>
>
>
> On 6 March 2014 14:54, Reindl Harald <h.reindl@thelounge.net

> <mailto:h.reindl@thelounge.net>> wrote:
>
>
>
> Am 06.03.2014 22:43, schrieb Stephen Gallagher:
>> On 03/06/2014 04:28 PM, Reindl Harald wrote:
>>
>>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
>>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo@redhat.com
> <mailto:simo@redhat.com>

>>>> <mailto:simo@redhat.com <mailto:simo@redhat.com>>>: Sorry I

>>>> do
> not understand what you are
>>>> saying here.
>>>>
>>>> $ fedora-role-deploy postgresql # Huh, it is refusing
>>>> connections? # Ah, firewall... $ fedora-role-deploy
>>>> --open-firewall-ports potgresql # That's how it is done in
>>>> Fedora, then. Good to know.
>>
>>> right direction
>>
>>>> # Time passes...
>>>>
>>>> $ fedora-role-deploy freeipa # Huh, this is already
>>>> accessible?
>>
>>> that must not happen
>>
>>> * not from usability point of view * not from security point
>>> of view - *no* open ports *never ever* as default
>>
>> The debate here is where you draw the line as to "what is
>> default". Deploying a role is *NOT* the same as just installing a
>> package. For package installs, I absolutely agree that we should
>> never be poking holes in the firewall.
>
> i draw the line *strict*
>
> if i deploy whatever role nobody than me is responsible to open
> firewall ports because nobody than me can know if it is sane to do
> so or what i have planned after the depolyment before go in
> production
>
>
> Then in this case, you wouldn't want to use Roles in any form as
> they aren't going to help you any. You aren't the target audience
> for them.. trying to make you the target audience would only work
> in your environment and no one elses.
>

I don't think that's necessarily a fair statement. We fully intend for
the firewall control on these Roles to be easy to turn off and on at
will. Upgrades should never change that state[1]. I don't see any
reason why, under those conditions, Roles couldn't work for Mr. Reindl.

I didn't say that roles couldn't work, just that he isn't the target audience. From what I have read through the years, Harald has a very strict setup which he knows very well and works well for what he needs done. However doing any sort of configuration management outside of what he has in place is going to cause problems. They are ones that can be worked around but you would need to make sure that the default of every role command is noop. Only after he had configured, edited and audited the tasks would he want them to be anything else.

Note this isn't meant to be derogatory to H. Reindl and if it comes across I am sorry.. I have a lot of respect for people who work in such environments and realize that there is a LOT of need for it. I also know that if you are designing a product to meet those types of environments you need to know from the start that 1) nothing happens without express commands and 2) nothing is to be hard coded but configurable before a role is deployed. It usually means where you could come up with a 'generic' 60% solution in 20 lines of code, you now need a 4000 line of code to deal with all the alternatives and options that will come up.

Stephen J Smoogen.