Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1511560

Summary: Disabled inactive firewall
Product: Red Hat Gluster Storage Reporter: Lubos Trilety <ltrilety>
Component: web-admin-tendrl-ansibleAssignee: Nishanth Thomas <nthomas>
Status: CLOSED ERRATA QA Contact: Martin Bukatovic <mbukatov>
Severity: high Docs Contact:
Priority: high    
Version: rhgs-3.3CC: abhaumik, bmekala, btotty, dahorak, fbalak, gmollett, japplewh, mbukatov, nthomas, rcyriac, rhinduja, sanandpa, sankarshan, sisharma, ssaha
Target Milestone: ---Keywords: Reopened, Security, ZStream
Target Release: RHGS 3.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tendrl-ansible-1.5.4-2.el7rhgs Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-18 04:39:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1519722    
Bug Blocks: 1460574, 1520343    

Description Lubos Trilety 2017-11-09 15:01:07 UTC
Description of problem:
Installation of RHGSWA disable firewall on all machines, there's special playbook for doing this in tendrl-ansible.

Version-Release number of selected component (if applicable):
tendrl-ansible-1.5.4-1.el7rhgs.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install RHGSWA
2. Check firewalld service and iptables
3.

Actual results:
firewalld is disabled and inactive, iptables flushed

Expected results:
firewalld should be set instead of stopped and disabled.

Additional info:

Comment 1 RHEL Product and Program Management 2017-11-15 16:42:45 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Comment 37 Martin Bukatovic 2017-12-01 16:34:53 UTC
(In reply to Rahul Hinduja from comment #35)
> Based on comment 30 to 34 , moving this bug to verified state. Other issues
> will be tracked separately.

I see that this BZ is in VERIFIED state when:

* upstream documenatation for firewall configuration is not finished,
  see BZ 1519237
* description of verification process (eg. comment 17) doesn't refer to
  downstream documentation draft nor specifies firewall configuration used
* qe team doesn't have firewall setup automated via playbook, so that qe
  team can't even run *every test case* (starting when this BZ was moved
  into verified state) with expected firewall setup

For these reason, I'm moving this BZ back in ON_QE and I don't thing we can
move it back to VERIFIED until we:

* reference particular firewall configuration used there
* automate the firewall configuration and make sure every tester uses it

Comment 39 Martin Bukatovic 2017-12-04 10:07:29 UTC
(In reply to Rejy M Cyriac from comment #38)
> THE ONLY ISSUE TO BE VERIFIED AS RESOLVED AT THIS BZ IS ON THE 'ACT OF
> INSTALLATION OF RHGS WEB ADMINISTRATION DISABLING FIREWALL BY DEFAULT.
> THIS WAS THE ONLY CONCERN RAISED BY PRODUCT SECURITY, AND CONVEYED TO THE
> PRODUCT STAKEHOLDERS TO RESOLVE, BEFORE SHIPPING THE WEB ADMINISTRATION
> COMPONENT.

Ack.

To make this more clear, I reorganized BZs according to your description so that:

* this BZ is blocked by 1519722, because I don't see how we could on one hand
  claim that firewalld should not be disabled, and on the other hand keep a
  workaround which disables the firewalld in suggested installation script
* there is a firewall tracker BZ 1520343, which keeps track of all the other
  firewall BZs for RHGS WA now
* BZs were linked so that's easier to track what depends on what

Comment 40 Rahul Hinduja 2017-12-08 12:06:44 UTC
> * this BZ is blocked by 1519722, because I don't see how we could on one hand
>   claim that firewalld should not be disabled, and on the other hand keep a
>   workaround which disables the firewalld in suggested installation script

BZ 1519722 is in VERIFIED state now

> * there is a firewall tracker BZ 1520343, which keeps track of all the other
>   firewall BZs for RHGS WA now

This is a tracker bug and to be addressed in subsequent releases. BZ 1520343 is not targeted for 3.3.1 

https://bugzilla.redhat.com/show_bug.cgi?id=1520343#c3
https://bugzilla.redhat.com/show_bug.cgi?id=1460574#c7

> * BZs were linked so that's easier to track what depends on what

Considering these moving the bug to verified state.

Comment 42 errata-xmlrpc 2017-12-18 04:39:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3478