From 7997ff10119d945138704f23a5bc7f0c6160cd84 Mon Sep 17 00:00:00 2001
From: Petr Ospalý <p.ospaly@partner.samsung.com>
Date: Wed, 16 Jan 2019 15:55:27 +0100
Subject: Fix the problem with the firewall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As of now the installer does not configure iptables rules and for
successfull installation some rules are needed. This is simple fix
to enable installation even on machines with enabled firewall.

The user must setup rules by himself for a production use.

Firewall setup may be added in a future revision of the installer.

Change-Id: I7ea741b088dbb7f64bb7e8e273f7648f7fbf1bd6
Issue-ID: OOM-1581
Signed-off-by: Petr Ospalý <p.ospaly@partner.samsung.com>
---
 bash/tools/common-functions.sh | 54 +++++++++++++++++++++++++++++++++++-------
 bash/tools/deploy_nexus.sh     |  5 ++--
 2 files changed, 49 insertions(+), 10 deletions(-)

diff --git a/bash/tools/common-functions.sh b/bash/tools/common-functions.sh
index 6ffb42a7..5563b047 100755
--- a/bash/tools/common-functions.sh
+++ b/bash/tools/common-functions.sh
@@ -345,14 +345,51 @@ create_all_certs() {
     create_cert "nexus"
 }
 
-update_firewall() {
-# TODO
-#firewall-cmd --permanent --add-port=53/udp
-#firewall-cmd --permanent --add-port=53/tcp
-#firewall-cmd --permanent --add-port=10001/tcp
-#firewall-cmd --permanent --add-port=80/tcp
-#firewall-cmd --permanent --add-port=443/tcp
-return 0
+# disable firewall (firewalld on rhel) and cleanup the iptables
+# args: [<distro>] [<ip>]
+# if no distro arg then run locally and only cleanup iptables
+# if no ip arg then run locally
+disable_firewall() {
+    _distro="$1"
+    _node_ip="$2"
+
+    case "$_distro" in
+        rhel)
+            message info "Disable firewalld"
+            message warning "Please, if you have some other firewall service - disable it or configure it for this installation to work !"
+            if [ -n "$_node_ip" ] ; then
+                ssh -T "$_node_ip"
+            else
+                sh
+            fi <<EOF
+if rpm -ql firewalld ; then
+    systemctl stop firewalld && systemctl disable firewalld
+    exit \$?
+else
+    exit 0
+fi 2>&1 >/dev/null
+EOF
+            ;;
+        *)
+            message warning "This system is not fully supported!"
+            message warning "The installation can stop working after the reboot - BE WARNED"
+            message warning "Please, if you have some firewall service - disable it or configure it for this installation to work !"
+            ;;
+    esac
+
+    message info "Cleanup iptables"
+    if [ -n "$_node_ip" ] ; then
+        ssh -T "$_node_ip"
+    else
+        sh
+    fi <<EOF
+iptables -P INPUT ACCEPT && \
+iptables -P OUTPUT ACCEPT && \
+iptables -P FORWARD ACCEPT && \
+iptables -F
+EOF
+
+    return 0
 }
 
 distribute_root_CA() {
@@ -556,6 +593,7 @@ deploy_node() {
     nodeip=$1
     os=$2
     echo "Deploying node $nodeip"
+    disable_firewall $os $nodeip
     distribute_root_CA $nodeip
     install_remote_docker $nodeip $os
     deploy_rancher_agent $nodeip
diff --git a/bash/tools/deploy_nexus.sh b/bash/tools/deploy_nexus.sh
index 1532c614..21a51cae 100755
--- a/bash/tools/deploy_nexus.sh
+++ b/bash/tools/deploy_nexus.sh
@@ -156,6 +156,9 @@ update_hosts
 # TODO
 #check_dependencies
 
+# TODO: add rules to the firewall
+disable_firewall "$OS_ID"
+
 echo "Restarting dnsmasq"
 # TODO dnsmasq config?
 systemctl enable dnsmasq
@@ -182,8 +185,6 @@ echo "Restarting docker"
 systemctl enable docker
 systemctl restart docker
 
-update_firewall
-
 set +e
 
 echo "** Loading images **"
-- 
cgit 1.2.3-korg