| Message ID | 20241028214719.2173128-1-cel@kernel.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] nfsd: Refine the firewall settings on the -nfsd target node | expand |
> On Oct 28, 2024, at 5:47 PM, cel@kernel.org wrote: > > From: Chuck Lever <chuck.lever@oracle.com> > > In preparation for testing NFSD in the cloud, where target nodes > might be exposed to the public internet, leave the firewall enabled > and permit NFS traffic. > > The documentation for the ansible.posix.firewalld module states "Not > tested on any Debian based system." For now, Debian-based target > nodes still simply disable firewalld. > > Signed-off-by: Chuck Lever <chuck.lever@oracle.com> > --- > .../roles/nfsd/tasks/firewall/debian/main.yml | 11 +++ > .../roles/nfsd/tasks/firewall/redhat/main.yml | 93 +++++++++++++++++++ > .../roles/nfsd/tasks/firewall/suse/main.yml | 93 +++++++++++++++++++ > playbooks/roles/nfsd/tasks/main.yml | 20 ++-- > playbooks/roles/nfsd/templates/nfs.conf.j2 | 6 ++ > playbooks/roles/nfsd/vars/RedHat.yml | 2 + > 6 files changed, 215 insertions(+), 10 deletions(-) > create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml > create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml > create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml > > Changes: > - Open the statd port as well > > diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml > new file mode 100644 > index 000000000000..0ba5272812a6 > --- /dev/null > +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml > @@ -0,0 +1,11 @@ > +--- > +- name: Populate service facts > + ansible.builtin.service_facts: > + > +- name: Turn off firewalld > + become: true > + ansible.builtin.systemd_service: > + name: firewalld.service > + enabled: false > + state: stopped > + when: '"firewalld.service" in ansible_facts.services' > diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml > new file mode 100644 > index 000000000000..3d1d4fde3efb > --- /dev/null > +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml > @@ -0,0 +1,93 @@ > +--- > +- name: Populate service facts > + ansible.builtin.service_facts: > + > +- name: Turn on firewalld > + become: true > + ansible.builtin.systemd_service: > + name: firewalld.service > + enabled: true > + state: started > + when: '"firewalld.service" in ansible_facts.services' > + > +- name: Open the rpcbind service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: rpc-bind > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NFS service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: nfs > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NSM TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4044/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NSM UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4044/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NFS/RDMA service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20049/tcp > + permanent: true > + immediate: true > + state: enabled > + > diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml > new file mode 100644 > index 000000000000..3d1d4fde3efb > --- /dev/null > +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml > @@ -0,0 +1,93 @@ > +--- > +- name: Populate service facts > + ansible.builtin.service_facts: > + > +- name: Turn on firewalld > + become: true > + ansible.builtin.systemd_service: > + name: firewalld.service > + enabled: true > + state: started > + when: '"firewalld.service" in ansible_facts.services' > + > +- name: Open the rpcbind service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: rpc-bind > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NFS service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + service: nfs > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NSM TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4044/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NSM UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4044/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NLM UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 4045/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT TCP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/tcp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the MNT UDP service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20048/udp > + permanent: true > + immediate: true > + state: enabled > + > +- name: Open the NFS/RDMA service port in firewalld > + become: true > + become_method: ansible.builtin.sudo > + ansible.posix.firewalld: > + port: 20049/tcp > + permanent: true > + immediate: true > + state: enabled > + > diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml > index 63388f857627..5f944708b2ec 100644 > --- a/playbooks/roles/nfsd/tasks/main.yml > +++ b/playbooks/roles/nfsd/tasks/main.yml > @@ -106,17 +106,17 @@ > state: present > when: selinux_status.rc == 0 > > -# FIXME: open ports instead > -- name: Populate service facts > - service_facts: > +- name: Open ports in NFS server's firewall (Debian) > + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml > + when: ansible_os_family == 'Debian' > > -- name: Turn off firewalld > - become: yes > - ansible.builtin.systemd_service: > - name: firewalld.service > - enabled: false > - state: stopped > - when: '"firewalld.service" in ansible_facts.services' > +- name: Open ports in NFS server's firewall (Suse) > + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml > + when: ansible_os_family == 'Suse' > + > +- name: Open ports in NFS server's firewall (Red Hat) > + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml > + when: ansible_os_family == 'RedHat' > > - name: Start up nfsd > become: yes > diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2 > index a5f4a714ec34..31cf18539798 100644 > --- a/playbooks/roles/nfsd/templates/nfs.conf.j2 > +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2 > @@ -1,6 +1,12 @@ > [general] > pipefs-directory={{ pipefs_directory }} > > +[statd] > +port=4044 > + > +[lockd] > +port=4045 > + > [nfsd] > udp=y > rdma=y > diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml > index 091c827c777d..ccffdcc4fdd9 100644 > --- a/playbooks/roles/nfsd/vars/RedHat.yml > +++ b/playbooks/roles/nfsd/vars/RedHat.yml > @@ -1,9 +1,11 @@ > --- > nfsd_packages: > - checkpolicy > + - firewalld > - lvm2 > - nfs-utils > - policycoreutils > + - python3-firewall > - python3-policycoreutils > > fstype_userspace_progs: > -- > 2.46.1 > This probably breaks the NFSv4.0 callback channel. I'm going to set this one aside for the moment. -- Chuck Lever
diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml new file mode 100644 index 000000000000..0ba5272812a6 --- /dev/null +++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml @@ -0,0 +1,11 @@ +--- +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Turn off firewalld + become: true + ansible.builtin.systemd_service: + name: firewalld.service + enabled: false + state: stopped + when: '"firewalld.service" in ansible_facts.services' diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml new file mode 100644 index 000000000000..3d1d4fde3efb --- /dev/null +++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml @@ -0,0 +1,93 @@ +--- +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Turn on firewalld + become: true + ansible.builtin.systemd_service: + name: firewalld.service + enabled: true + state: started + when: '"firewalld.service" in ansible_facts.services' + +- name: Open the rpcbind service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: rpc-bind + permanent: true + immediate: true + state: enabled + +- name: Open the NFS service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: nfs + permanent: true + immediate: true + state: enabled + +- name: Open the NSM TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4044/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the NSM UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4044/udp + permanent: true + immediate: true + state: enabled + +- name: Open the NLM TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the NLM UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/udp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/udp + permanent: true + immediate: true + state: enabled + +- name: Open the NFS/RDMA service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20049/tcp + permanent: true + immediate: true + state: enabled + diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml new file mode 100644 index 000000000000..3d1d4fde3efb --- /dev/null +++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml @@ -0,0 +1,93 @@ +--- +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Turn on firewalld + become: true + ansible.builtin.systemd_service: + name: firewalld.service + enabled: true + state: started + when: '"firewalld.service" in ansible_facts.services' + +- name: Open the rpcbind service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: rpc-bind + permanent: true + immediate: true + state: enabled + +- name: Open the NFS service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + service: nfs + permanent: true + immediate: true + state: enabled + +- name: Open the NSM TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4044/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the NSM UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4044/udp + permanent: true + immediate: true + state: enabled + +- name: Open the NLM TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the NLM UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 4045/udp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT TCP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/tcp + permanent: true + immediate: true + state: enabled + +- name: Open the MNT UDP service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20048/udp + permanent: true + immediate: true + state: enabled + +- name: Open the NFS/RDMA service port in firewalld + become: true + become_method: ansible.builtin.sudo + ansible.posix.firewalld: + port: 20049/tcp + permanent: true + immediate: true + state: enabled + diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml index 63388f857627..5f944708b2ec 100644 --- a/playbooks/roles/nfsd/tasks/main.yml +++ b/playbooks/roles/nfsd/tasks/main.yml @@ -106,17 +106,17 @@ state: present when: selinux_status.rc == 0 -# FIXME: open ports instead -- name: Populate service facts - service_facts: +- name: Open ports in NFS server's firewall (Debian) + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml + when: ansible_os_family == 'Debian' -- name: Turn off firewalld - become: yes - ansible.builtin.systemd_service: - name: firewalld.service - enabled: false - state: stopped - when: '"firewalld.service" in ansible_facts.services' +- name: Open ports in NFS server's firewall (Suse) + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml + when: ansible_os_family == 'Suse' + +- name: Open ports in NFS server's firewall (Red Hat) + ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml + when: ansible_os_family == 'RedHat' - name: Start up nfsd become: yes diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2 index a5f4a714ec34..31cf18539798 100644 --- a/playbooks/roles/nfsd/templates/nfs.conf.j2 +++ b/playbooks/roles/nfsd/templates/nfs.conf.j2 @@ -1,6 +1,12 @@ [general] pipefs-directory={{ pipefs_directory }} +[statd] +port=4044 + +[lockd] +port=4045 + [nfsd] udp=y rdma=y diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml index 091c827c777d..ccffdcc4fdd9 100644 --- a/playbooks/roles/nfsd/vars/RedHat.yml +++ b/playbooks/roles/nfsd/vars/RedHat.yml @@ -1,9 +1,11 @@ --- nfsd_packages: - checkpolicy + - firewalld - lvm2 - nfs-utils - policycoreutils + - python3-firewall - python3-policycoreutils fstype_userspace_progs: