Hi pulp_installer users,
We are thinking of removing the firewall feature.
Our reasons are as follows:
Please let me know if there are any objections,
-Mike
+1 to this change.
- It seems like unnecessary scope for the installer.
My only concern is if we are considering the installation as an āapplianceā, in this case, I believe that keeping the firewall configuration would be a good idea.
If we consider only configuring the firewall if it is already installed, we should also consider ufw configurations (for Ubuntu users, for example).
Maybe as a middle ground we could supply a pulp_firewall role that will not be included from the main role and users would need to add it to their playbooks if desired. Isnāt that what collections were designed for? My biggest concern with that approach is that we may not have the proper test coverage to āsupportā that security feature.
@x9c4 I think the configuration that would make the most sense is to put firewall configuration logic in each and every role, that only configures an existing firewall for that particular roleās service.
Creating a separate role would move us further away from that.
I think it would be okay to remove any firewall configuration steps in the installer, but I think we should have documentation for firewall considerations. For example, the docs could note what ports are used by the application, as well as information on how to open those ports using firewalld and ufw.
FYI, We implemented this. including the documentation:
pulp_installer 3.20.2 is the last release with the firewall support.