Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1511560 - Disabled inactive firewall
Summary: Disabled inactive firewall
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: web-admin-tendrl-ansible
Version: rhgs-3.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: RHGS 3.3.1
Assignee: Nishanth Thomas
QA Contact: Martin Bukatovic
URL:
Whiteboard:
Depends On: 1519722
Blocks: 1460574 1520343
TreeView+ depends on / blocked
 
Reported: 2017-11-09 15:01 UTC by Lubos Trilety
Modified: 2017-12-18 04:39 UTC (History)
15 users (show)

Fixed In Version: tendrl-ansible-1.5.4-2.el7rhgs
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-18 04:39:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:3478 normal SHIPPED_LIVE RHGS Web Administration packages 2017-12-18 09:34:49 UTC
Red Hat Bugzilla 1520343 None None None Never
Github Tendrl tendrl-ansible issues 49 None None None 2017-11-09 15:01:06 UTC

Internal Links: 1520343

Description Lubos Trilety 2017-11-09 15:01:07 UTC
Description of problem:
Installation of RHGSWA disable firewall on all machines, there's special playbook for doing this in tendrl-ansible.

Version-Release number of selected component (if applicable):
tendrl-ansible-1.5.4-1.el7rhgs.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install RHGSWA
2. Check firewalld service and iptables
3.

Actual results:
firewalld is disabled and inactive, iptables flushed

Expected results:
firewalld should be set instead of stopped and disabled.

Additional info:

Comment 1 RHEL Product and Program Management 2017-11-15 16:42:45 UTC
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.

Comment 37 Martin Bukatovic 2017-12-01 16:34:53 UTC
(In reply to Rahul Hinduja from comment #35)
> Based on comment 30 to 34 , moving this bug to verified state. Other issues
> will be tracked separately.

I see that this BZ is in VERIFIED state when:

* upstream documenatation for firewall configuration is not finished,
  see BZ 1519237
* description of verification process (eg. comment 17) doesn't refer to
  downstream documentation draft nor specifies firewall configuration used
* qe team doesn't have firewall setup automated via playbook, so that qe
  team can't even run *every test case* (starting when this BZ was moved
  into verified state) with expected firewall setup

For these reason, I'm moving this BZ back in ON_QE and I don't thing we can
move it back to VERIFIED until we:

* reference particular firewall configuration used there
* automate the firewall configuration and make sure every tester uses it

Comment 39 Martin Bukatovic 2017-12-04 10:07:29 UTC
(In reply to Rejy M Cyriac from comment #38)
> THE ONLY ISSUE TO BE VERIFIED AS RESOLVED AT THIS BZ IS ON THE 'ACT OF
> INSTALLATION OF RHGS WEB ADMINISTRATION DISABLING FIREWALL BY DEFAULT.
> THIS WAS THE ONLY CONCERN RAISED BY PRODUCT SECURITY, AND CONVEYED TO THE
> PRODUCT STAKEHOLDERS TO RESOLVE, BEFORE SHIPPING THE WEB ADMINISTRATION
> COMPONENT.

Ack.

To make this more clear, I reorganized BZs according to your description so that:

* this BZ is blocked by 1519722, because I don't see how we could on one hand
  claim that firewalld should not be disabled, and on the other hand keep a
  workaround which disables the firewalld in suggested installation script
* there is a firewall tracker BZ 1520343, which keeps track of all the other
  firewall BZs for RHGS WA now
* BZs were linked so that's easier to track what depends on what

Comment 40 Rahul Hinduja 2017-12-08 12:06:44 UTC
> * this BZ is blocked by 1519722, because I don't see how we could on one hand
>   claim that firewalld should not be disabled, and on the other hand keep a
>   workaround which disables the firewalld in suggested installation script

BZ 1519722 is in VERIFIED state now

> * there is a firewall tracker BZ 1520343, which keeps track of all the other
>   firewall BZs for RHGS WA now

This is a tracker bug and to be addressed in subsequent releases. BZ 1520343 is not targeted for 3.3.1 

https://bugzilla.redhat.com/show_bug.cgi?id=1520343#c3
https://bugzilla.redhat.com/show_bug.cgi?id=1460574#c7

> * BZs were linked so that's easier to track what depends on what

Considering these moving the bug to verified state.

Comment 42 errata-xmlrpc 2017-12-18 04:39:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3478


Note You need to log in before you can comment on or make changes to this bug.