Fix the problem with the firewall

As of now the installer does not configure iptables rules and for
successfull installation some rules are needed. This is simple fix
to enable installation even on machines with enabled firewall.

The user must setup rules by himself for a production use.

Firewall setup may be added in a future revision of the installer.

Change-Id: I7ea741b088dbb7f64bb7e8e273f7648f7fbf1bd6
Issue-ID: OOM-1581
Signed-off-by: Petr Ospalý <p.ospaly@partner.samsung.com>

diff --git a/bash/tools/common-functions.sh b/bash/tools/common-functions.sh
index 6ffb42a..5563b04 100755 (executable)
--- a/bash/tools/common-functions.sh
+++ b/bash/tools/common-functions.sh
@@ -345,14 +345,51 @@ create_all_certs() {
     create_cert "nexus"
 }
 
-update_firewall() {
-# TODO
-#firewall-cmd --permanent --add-port=53/udp
-#firewall-cmd --permanent --add-port=53/tcp
-#firewall-cmd --permanent --add-port=10001/tcp
-#firewall-cmd --permanent --add-port=80/tcp
-#firewall-cmd --permanent --add-port=443/tcp
-return 0
+# disable firewall (firewalld on rhel) and cleanup the iptables
+# args: [<distro>] [<ip>]
+# if no distro arg then run locally and only cleanup iptables
+# if no ip arg then run locally
+disable_firewall() {
+    _distro="$1"
+    _node_ip="$2"
+
+    case "$_distro" in
+        rhel)
+            message info "Disable firewalld"
+            message warning "Please, if you have some other firewall service - disable it or configure it for this installation to work !"
+            if [ -n "$_node_ip" ] ; then
+                ssh -T "$_node_ip"
+            else
+                sh
+            fi <<EOF
+if rpm -ql firewalld ; then
+    systemctl stop firewalld && systemctl disable firewalld
+    exit \$?
+else
+    exit 0
+fi 2>&1 >/dev/null
+EOF
+            ;;
+        *)
+            message warning "This system is not fully supported!"
+            message warning "The installation can stop working after the reboot - BE WARNED"
+            message warning "Please, if you have some firewall service - disable it or configure it for this installation to work !"
+            ;;
+    esac
+
+    message info "Cleanup iptables"
+    if [ -n "$_node_ip" ] ; then
+        ssh -T "$_node_ip"
+    else
+        sh
+    fi <<EOF
+iptables -P INPUT ACCEPT && \
+iptables -P OUTPUT ACCEPT && \
+iptables -P FORWARD ACCEPT && \
+iptables -F
+EOF
+
+    return 0
 }
 
 distribute_root_CA() {
@@ -556,6 +593,7 @@ deploy_node() {
     nodeip=$1
     os=$2
     echo "Deploying node $nodeip"
+    disable_firewall $os $nodeip
     distribute_root_CA $nodeip
     install_remote_docker $nodeip $os
     deploy_rancher_agent $nodeip

diff --git a/bash/tools/deploy_nexus.sh b/bash/tools/deploy_nexus.sh
index 1532c61..21a51ca 100755 (executable)
--- a/bash/tools/deploy_nexus.sh
+++ b/bash/tools/deploy_nexus.sh
@@ -156,6 +156,9 @@ update_hosts
 # TODO
 #check_dependencies
 
+# TODO: add rules to the firewall
+disable_firewall "$OS_ID"
+
 echo "Restarting dnsmasq"
 # TODO dnsmasq config?
 systemctl enable dnsmasq
@@ -182,8 +185,6 @@ echo "Restarting docker"
 systemctl enable docker
 systemctl restart docker
 
-update_firewall
-
 set +e
 
 echo "** Loading images **"