perfSONAR User Q&A and Other Discussion

[Laurie Zirkle <>]

We do (or at least have for 3.5.1) use the ToolKit GUI.

--
Laurie


On Wed, Apr 12, 2017 at 10:54 AM, Andrew Lake 
<>
 wrote:
> Hi Laurie,
>
> I created an issue for us to mention this topic in our docs. I imagine you
> are not alone in wanting toskip the jump to firewalld right away especially
> when you have config management sopftware that already handlesiptables. One
> option worth mentioning is that if you don't really use the Toolkit GUI, you
> may want to install perfsonar-core instead of perfsonar-toolkit since that
> does not pull in the firewall stuff by default. Then you can let ansible
> just handle things on its own.
>
> Thanks,
> Andy
>
>
>
> On April 12, 2017 at 7:52:33 AM, Laurie Zirkle 
> ()
>  wrote:
>
> The issue we have is our cobbler/ansible standard uses iptables rather
> than firewalld. This causes us issues where we (for now, because it's
> still RC rather than production) manually stop firewalld and start
> iptables.
>
> --
> Laurie
>
>
> On Tue, Apr 11, 2017 at 3:16 PM, Hyojoon Kim 
> <>
>  wrote:
>> Hi all,
>>
>> I just wanted to share that this still seems to be the case: that I have
>> to
>> run "/usr/lib/perfsonar/script/configure_firewall install” manually to get
>> the firewall rules correctly installed in the perfSONAR host, with
>> perfSONAR
>> 4.0 RC3 on CentOS 7. Reboot does not seem to run the script.
>>
>> Probably this is not the case when you get an pre-made perfSONAR CentOS
>> ISO.
>> However, in my environment I had my own CentOS 7 and installed perfSONAR
>> 4.0
>> RC3 via yum (perfsonar-toolkit bundle) separately
>> (http://docs.perfsonar.net/release_candidates/4.0rc3/install_centos.html).
>> In this case, I had to manually run that command.
>>
>> Thanks,
>> Joon
>>
>> On Nov 17, 2016, at 1:34 PM, Michael Petry 
>> <>
>>  wrote:
>>
>> Symon,
>> Thanks for the followup.
>>
>> Firewall-cmd does give the expected results. The issue is that I had to
>> first start firewalld and also run
>> "/usr/lib/perfsonar/script/configure_firewall install” by hand. The docs
>> leave a reader with the impression that it
>> is all enabled and configured by default. Also the docs (listed as part of
>> the 4.0RC2 candidate) are very
>> iptable centric while the script actions are centered around firewall-cmd.
>>
>> The Fail2ban setup has a similar conflict on docs vs. action.
>>
>> I wanted to report it as an issue so it doesn’t get lost before final
>> release.
>>
>> Migrating to Centos7 brings lots of changes that may trip some people up.
>> I
>> welcome the changes, especially the improved network stack performance.
>>
>> Thanks again,
>> Mike
>>
>>
>> firewall-cmd --list-all
>> public (default, active)
>> interfaces: p1p1
>> sources:
>> services: bwctl dhcpv6-client http https ndt npad ntp oppd owamp ssh
>> traceroute
>> ports: 6001-6200/tcp 5601-5900/tcp 8760-9960/udp 5601-5900/udp
>> 6001-6200/udp 5301-5600/udp 5001-5300/tcp 8760-9960/tcp 5001-5300/udp
>> 5301-5600/tcp
>> masquerade: no
>> forward-ports:
>> icmp-blocks:
>> rich rules:
>>
>>
>> On Nov 17, 2016, at 2:59 AM, Szymon Trocha 
>> <>
>> wrote:
>>
>> W dniu 17.11.2016 o 08:57, Szymon Trocha pisze:
>>
>> W dniu 16.11.2016 o 17:11, Michael Petry pisze:
>>
>> Reading the docs at:
>> http://docs.perfsonar.net/release_candidates/4.0rc2/manage_security.html
>>
>> left me with the impression that iptables/firewalld was enabled with the
>> specified default rules.
>> That doesn't seem to be the case when installing/booting from the ISO
>> image
>> 4.0 RC2 Nov 1
>>
>> Is that the intent or did I misread the docs/release notes?
>>
>> Thanks,
>> Mike
>>
>>
>> Hi Mike,
>>
>> What do you get when you issue:
>>
>> firewall-cmd --get-active-zones ?
>>
>>
>> Sorry, it should have been: firewall-cmd --list-all
>>
>>
>> --
>> Szymon Trocha
>>
>> Poznań Supercomputing & Networking Center
>> Tel. +48 618582022 ::: http://noc.pcss.pl
>>
>>
>>