From 9cb4b10c87d2f3f53ce594d606a7b1b3d0cd18a6 Mon Sep 17 00:00:00 2001 From: Andreas Dilger Date: Wed, 7 Apr 2021 12:37:42 -0700 Subject: [PATCH] LU-14224 misc: add firewalld service configuration RHEL8 ships with restrictive firewalld rules out of the box. This prevents servers and clients from connecting to each other. Add a lustre.xml service file for firewalld, so that it is easy to run a command like: firewall-cmd --permanent --zone=public --add-service=lustre to add the Lustre service ports with minimal difficulty. It would be good if this was run automatically when the RPMs are installed, or when mount.lustre is run, but it isn't clear what is good/safe/correct in all cases. At least having the service file will be a starting point to make this easier for admins. It would be even better if the Lustre service rules were restricted to accepting only new connections, and clients would only accept requests from the MGS initially and then dynamically add ports for servers as they are configured, but this is beyond my firewalld-fu. Test-Parameters: trivial Signed-off-by: Andreas Dilger Change-Id: I9f49d4b0df1c9fb6b343df81f966d9110c300c1e Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/41021 Tested-by: jenkins Tested-by: Maloo Reviewed-by: Olaf Faaland Reviewed-by: Alex Deiter Reviewed-by: Oleg Drokin --- lustre.spec.in | 1 + lustre/conf/Makefile.am | 4 +++- lustre/conf/lustre.xml | 6 ++++++ 3 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 lustre/conf/lustre.xml diff --git a/lustre.spec.in b/lustre.spec.in index 653bc1e..3ab3ab2 100644 --- a/lustre.spec.in +++ b/lustre.spec.in @@ -689,6 +689,7 @@ fi %endif %if %{with lustre_modules} +echo '%{_prefix}/lib/firewalld/services/*.xml' >>lustre.files # mark modules executable for find-debuginfo.sh find $RPM_BUILD_ROOT/lib/modules -name \*.ko -type f -exec chmod u+x {} \; %endif diff --git a/lustre/conf/Makefile.am b/lustre/conf/Makefile.am index d9fdde5..27ed72d 100644 --- a/lustre/conf/Makefile.am +++ b/lustre/conf/Makefile.am @@ -34,7 +34,7 @@ SUBDIRS = resource DIST_SUBDIRS = resource -EXTRA_DIST = lustre.dtd lustre2ldif.xsl top.ldif \ +EXTRA_DIST = lustre.dtd lustre.xml lustre2ldif.xsl top.ldif \ 99-lustre.rules lustre ldev.conf ko2iblnd.conf lsvcgss \ lnet_routes.conf lnet.conf lgssc.conf 99-lustre-server.rules @@ -45,6 +45,8 @@ noinst_DATA = top.ldif lustre2ldif.xsl sysconf_DATA += lnet_routes.conf endif +firewallddir = ${prefix}/lib/firewalld/services +firewalld_DATA = lustre.xml udevrulesdir = $(sysconfdir)/udev/rules.d udevrules_DATA = 99-lustre.rules diff --git a/lustre/conf/lustre.xml b/lustre/conf/lustre.xml new file mode 100644 index 0000000..012122a --- /dev/null +++ b/lustre/conf/lustre.xml @@ -0,0 +1,6 @@ + + + Lustre + The Lustre protocol is used to share files via TCP (or IB) networking. You will need to have the Lustre tools installed and properly configure your Lustre server for this option to be useful. + + -- 1.8.3.1