Removing the firewall feature from pulp_installer

Hi pulp_installer users,

We are thinking of removing the firewall feature.

Our reasons are as follows:

  1. It only configures firewalld anyway.
  2. The default behavior is to install firewalld, which is undesirable and unexpected.
  3. All it does is allow the webserver to use the firewall. For cluster installs, it does not allow redis, postgres, pulp-api or pulp-content to talk over the network.
  4. It seems like unnecessary scope for the installer.

Please let me know if there are any objections,


+1 to this change.

  • It seems like unnecessary scope for the installer.
    My only concern is if we are considering the installation as an “appliance”, in this case, I believe that keeping the firewall configuration would be a good idea.

If we consider only configuring the firewall if it is already installed, we should also consider ufw configurations (for Ubuntu users, for example).

Maybe as a middle ground we could supply a pulp_firewall role that will not be included from the main role and users would need to add it to their playbooks if desired. Isn’t that what collections were designed for? My biggest concern with that approach is that we may not have the proper test coverage to “support” that security feature.

@x9c4 I think the configuration that would make the most sense is to put firewall configuration logic in each and every role, that only configures an existing firewall for that particular role’s service.

Creating a separate role would move us further away from that.

1 Like

I think it would be okay to remove any firewall configuration steps in the installer, but I think we should have documentation for firewall considerations. For example, the docs could note what ports are used by the application, as well as information on how to open those ports using firewalld and ufw.