LU-14224 misc: add firewalld service configuration

RHEL8 ships with restrictive firewalld rules out of the box.
This prevents servers and clients from connecting to each other.
Add a lustre.xml service file for firewalld, so that it is easy
to run a command like:

    firewall-cmd --permanent --zone=public --add-service=lustre

to add the Lustre service ports with minimal difficulty.

It would be good if this was run automatically when the RPMs are
installed, or when mount.lustre is run, but it isn't clear what
is good/safe/correct in all cases. At least having the service
file will be a starting point to make this easier for admins.

It would be even better if the Lustre service rules were restricted
to accepting only new connections, and clients would only accept
requests from the MGS initially and then dynamically add ports for
servers as they are configured, but this is beyond my firewalld-fu.

Test-Parameters: trivial
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Change-Id: I9f49d4b0df1c9fb6b343df81f966d9110c300c1e
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/41021
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>
Reviewed-by: Olaf Faaland <faaland1@llnl.gov>
Reviewed-by: Alex Deiter <alex.deiter@gmail.com>
Reviewed-by: Oleg Drokin <green@whamcloud.com>

diff --git a/lustre.spec.in b/lustre.spec.in
index 653bc1e..3ab3ab2 100644 (file)
--- a/lustre.spec.in
+++ b/lustre.spec.in
@@ -689,6 +689,7 @@ fi
 %endif
 
 %if %{with lustre_modules}
+echo '%{_prefix}/lib/firewalld/services/*.xml' >>lustre.files
 # mark modules executable for find-debuginfo.sh
 find $RPM_BUILD_ROOT/lib/modules -name \*.ko -type f -exec chmod u+x {} \;
 %endif

diff --git a/lustre/conf/Makefile.am b/lustre/conf/Makefile.am
index d9fdde5..27ed72d 100644 (file)
--- a/lustre/conf/Makefile.am
+++ b/lustre/conf/Makefile.am
@@ -34,7 +34,7 @@
 SUBDIRS = resource
 DIST_SUBDIRS = resource
 
-EXTRA_DIST = lustre.dtd lustre2ldif.xsl top.ldif \
+EXTRA_DIST = lustre.dtd lustre.xml lustre2ldif.xsl top.ldif \
              99-lustre.rules lustre ldev.conf ko2iblnd.conf lsvcgss \
              lnet_routes.conf lnet.conf lgssc.conf 99-lustre-server.rules
 
@@ -45,6 +45,8 @@ noinst_DATA = top.ldif lustre2ldif.xsl
 sysconf_DATA += lnet_routes.conf
 endif
 
+firewallddir = ${prefix}/lib/firewalld/services
+firewalld_DATA = lustre.xml
 udevrulesdir = $(sysconfdir)/udev/rules.d
 udevrules_DATA = 99-lustre.rules
 

diff --git a/lustre/conf/lustre.xml b/lustre/conf/lustre.xml
new file mode 100644 (file)
index 0000000..012122a
--- /dev/null
+++ b/lustre/conf/lustre.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Lustre</short>
+  <description>The Lustre protocol is used to share files via TCP (or IB) networking. You will need to have the Lustre tools installed and properly configure your Lustre server for this option to be useful.</description>
+  <port protocol="tcp" port="988"/>
+</service>