From patchwork Mon Oct 28 21:47:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <cel@kernel.org>
X-Patchwork-Id: 13854195
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org
 [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F26791EE012
	for <kdevops@lists.linux.dev>; Mon, 28 Oct 2024 21:47:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=10.30.226.201
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1730152044; cv=none;
 b=IXtKdHR/Raou0KBhblCMQLfJBzCyj1lt7No0YtX8DHkeUn1/9Pp+4SxAn0jBeQXzIuNe0fytyhEgdnC04jez9Oh59+HGHKSyPjMcql4Y/TCdGPQzrun8BqftGqQt9FKhyJ9uHOVQjxnCfIUTtSxrVH8VlJ6Of4naNXZhGETfepI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1730152044; c=relaxed/simple;
	bh=8fu0QOIMWron6OCW1o3k2u4Ui87xLAthKa33lvS31lA=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=AK6obuNgdj8BsyZHaY0tr+ogzu36ASLiIrN7nN3lejrJHeJ/tbziGMdzicEgKADN0452/RrtM5rqHYwX9YjPjxVf8eAgm5B0y1Qb/KY4Rff7fUxzV7r8iKAaJsSAlh0n5N/QWFf9Hy6VD16b0bsC7qNiMaI8aT7Ig3VEUErJinA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b=DLjR77EE; arc=none smtp.client-ip=10.30.226.201
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org
 header.b="DLjR77EE"
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 360B3C4CEC3;
	Mon, 28 Oct 2024 21:47:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1730152043;
	bh=8fu0QOIMWron6OCW1o3k2u4Ui87xLAthKa33lvS31lA=;
	h=From:To:Cc:Subject:Date:From;
	b=DLjR77EE+648TiRjpw2tQTS64TZqMiK2J5cLzIZFboGF0+cZSeucvZhIrM4VgPZmK
	 hUtMK9ISuzn3kcJArTrwQUbn4VKGb1HGY5btwHZxanFiQI5as3AEdStFSnds6cc8ml
	 k3VWrqCrFv4fuQBe8hCUOd5io3Xms2we40W24Y3NBHVSRqaTnV/t/WpFJFPROgX9NI
	 N64fiRnNwAUfaFwHckjdhdNlVdXcmTpnWNEksI8CcRLMLDB+z7rKMXC/txkIYD/N6P
	 qxjwETuOWl/vQRRoOacFCykrUmQsSTRbWlUWqjR3qLc5T+6dSik1TazRtINXX8nx8h
	 As21KxoCmJAAw==
From: cel@kernel.org
To: <kdevops@lists.linux.dev>
Cc: Chuck Lever <chuck.lever@oracle.com>
Subject: [PATCH v2] nfsd: Refine the firewall settings on the -nfsd target
 node
Date: Mon, 28 Oct 2024 17:47:19 -0400
Message-ID: <20241028214719.2173128-1-cel@kernel.org>
X-Mailer: git-send-email 2.46.1
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0

From: Chuck Lever <chuck.lever@oracle.com>

In preparation for testing NFSD in the cloud, where target nodes
might be exposed to the public internet, leave the firewall enabled
and permit NFS traffic.

The documentation for the ansible.posix.firewalld module states "Not
tested on any Debian based system." For now, Debian-based target
nodes still simply disable firewalld.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 .../roles/nfsd/tasks/firewall/debian/main.yml | 11 +++
 .../roles/nfsd/tasks/firewall/redhat/main.yml | 93 +++++++++++++++++++
 .../roles/nfsd/tasks/firewall/suse/main.yml   | 93 +++++++++++++++++++
 playbooks/roles/nfsd/tasks/main.yml           | 20 ++--
 playbooks/roles/nfsd/templates/nfs.conf.j2    |  6 ++
 playbooks/roles/nfsd/vars/RedHat.yml          |  2 +
 6 files changed, 215 insertions(+), 10 deletions(-)
 create mode 100644 playbooks/roles/nfsd/tasks/firewall/debian/main.yml
 create mode 100644 playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
 create mode 100644 playbooks/roles/nfsd/tasks/firewall/suse/main.yml

Changes:
- Open the statd port as well

diff --git a/playbooks/roles/nfsd/tasks/firewall/debian/main.yml b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
new file mode 100644
index 000000000000..0ba5272812a6
--- /dev/null
+++ b/playbooks/roles/nfsd/tasks/firewall/debian/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Populate service facts
+  ansible.builtin.service_facts:
+
+- name: Turn off firewalld
+  become: true
+  ansible.builtin.systemd_service:
+    name: firewalld.service
+    enabled: false
+    state: stopped
+  when: '"firewalld.service" in ansible_facts.services'
diff --git a/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
new file mode 100644
index 000000000000..3d1d4fde3efb
--- /dev/null
+++ b/playbooks/roles/nfsd/tasks/firewall/redhat/main.yml
@@ -0,0 +1,93 @@
+---
+- name: Populate service facts
+  ansible.builtin.service_facts:
+
+- name: Turn on firewalld
+  become: true
+  ansible.builtin.systemd_service:
+    name: firewalld.service
+    enabled: true
+    state: started
+  when: '"firewalld.service" in ansible_facts.services'
+
+- name: Open the rpcbind service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    service: rpc-bind
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NFS service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    service: nfs
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NSM TCP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4044/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NSM UDP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4044/udp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NLM TCP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4045/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NLM UDP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4045/udp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the MNT TCP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 20048/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the MNT UDP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 20048/udp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NFS/RDMA service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 20049/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
diff --git a/playbooks/roles/nfsd/tasks/firewall/suse/main.yml b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
new file mode 100644
index 000000000000..3d1d4fde3efb
--- /dev/null
+++ b/playbooks/roles/nfsd/tasks/firewall/suse/main.yml
@@ -0,0 +1,93 @@
+---
+- name: Populate service facts
+  ansible.builtin.service_facts:
+
+- name: Turn on firewalld
+  become: true
+  ansible.builtin.systemd_service:
+    name: firewalld.service
+    enabled: true
+    state: started
+  when: '"firewalld.service" in ansible_facts.services'
+
+- name: Open the rpcbind service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    service: rpc-bind
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NFS service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    service: nfs
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NSM TCP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4044/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NSM UDP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4044/udp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NLM TCP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4045/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NLM UDP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 4045/udp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the MNT TCP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 20048/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the MNT UDP service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 20048/udp
+    permanent: true
+    immediate: true
+    state: enabled
+
+- name: Open the NFS/RDMA service port in firewalld
+  become: true
+  become_method: ansible.builtin.sudo
+  ansible.posix.firewalld:
+    port: 20049/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+
diff --git a/playbooks/roles/nfsd/tasks/main.yml b/playbooks/roles/nfsd/tasks/main.yml
index 63388f857627..5f944708b2ec 100644
--- a/playbooks/roles/nfsd/tasks/main.yml
+++ b/playbooks/roles/nfsd/tasks/main.yml
@@ -106,17 +106,17 @@
     state: present
   when: selinux_status.rc == 0
 
-# FIXME: open ports instead
-- name: Populate service facts
-  service_facts:
+- name: Open ports in NFS server's firewall (Debian)
+  ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/debian/main.yml
+  when: ansible_os_family == 'Debian'
 
-- name: Turn off firewalld
-  become: yes
-  ansible.builtin.systemd_service:
-    name: firewalld.service
-    enabled: false
-    state: stopped
-  when: '"firewalld.service" in ansible_facts.services'
+- name: Open ports in NFS server's firewall (Suse)
+  ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/suse/main.yml
+  when: ansible_os_family == 'Suse'
+
+- name: Open ports in NFS server's firewall (Red Hat)
+  ansible.builtin.include_tasks: roles/nfsd/tasks/firewall/redhat/main.yml
+  when: ansible_os_family == 'RedHat'
 
 - name: Start up nfsd
   become: yes
diff --git a/playbooks/roles/nfsd/templates/nfs.conf.j2 b/playbooks/roles/nfsd/templates/nfs.conf.j2
index a5f4a714ec34..31cf18539798 100644
--- a/playbooks/roles/nfsd/templates/nfs.conf.j2
+++ b/playbooks/roles/nfsd/templates/nfs.conf.j2
@@ -1,6 +1,12 @@
 [general]
 pipefs-directory={{ pipefs_directory }}
 
+[statd]
+port=4044
+
+[lockd]
+port=4045
+
 [nfsd]
 udp=y
 rdma=y
diff --git a/playbooks/roles/nfsd/vars/RedHat.yml b/playbooks/roles/nfsd/vars/RedHat.yml
index 091c827c777d..ccffdcc4fdd9 100644
--- a/playbooks/roles/nfsd/vars/RedHat.yml
+++ b/playbooks/roles/nfsd/vars/RedHat.yml
@@ -1,9 +1,11 @@
 ---
 nfsd_packages:
   - checkpolicy
+  - firewalld
   - lvm2
   - nfs-utils
   - policycoreutils
+  - python3-firewall
   - python3-policycoreutils
 
 fstype_userspace_progs: