[ovs-dev] [PATCH] OVN: Document how to use firewalld service files
blp at ovn.org
Tue Oct 24 21:34:46 UTC 2017
On Tue, Oct 24, 2017 at 09:10:09AM -0500, Mark Michelson wrote:
> Firewalld service files for OVN have been in the source for several
> months. This adds instructions for how to use these service files with
> Signed-off-by: Mark Michelson <mmichels at redhat.com>
Thanks a lot for the documentation! I folded in the following minor
typographical improvements and applied this to master.
diff --git a/Documentation/howto/firewalld.rst b/Documentation/howto/firewalld.rst
index b78d8e3b4b88..b76a4d2b7dc7 100644
@@ -37,8 +37,9 @@ Installation
If you have installed OVN from an RPM, then the service files for firewalld
-will automatically be installed in /usr/lib/firewalld/services. Installation
-from RPM includes installation from the yum or dnf package managers.
+will automatically be installed in ``/usr/lib/firewalld/services``.
+Installation from RPM includes installation from the yum or dnf package
If you have installed OVN from source, then from the top level source
directory, issue the following commands to copy the firewalld service files:
@@ -57,18 +58,14 @@ Activation
Assuming you are already running firewalld, you can issue the following
commands to enable the OVN services.
-On the central server (the one running ovn-northd), issue the following
+On the central server (the one running ``ovn-northd``), issue the following::
$ firewall-cmd --zone=public --add-service=ovn-central-firewall-service
This will open TCP ports 6641 and 6642, allowing for remote connections to the
northbound and southbound databases.
-On the OVN hosts (the ones running ovn-controller), issue the following
+On the OVN hosts (the ones running ``ovn-controller``), issue the following::
$ firewall-cmd --zone=public --add-service=ovn-host-firewall-service
@@ -79,16 +76,16 @@ Variations
When installing the XML service files, you have the choice of copying them to
-/etc/firewalld/services or /usr/lib/firewalld/services. The former is
+``/etc/firewalld/services`` or ``/usr/lib/firewalld/services``. The former is
recommened since the latter can be overwritten if firewalld is upgraded.
The above commands assumed your underlay network interfaces are in the
"public" firewalld zone. If your underlay network interfaces are in a separate
zone, then adjust the above commands accordingly.
-The \-\-permanent option may be passed to the above firewall-cmd invocations
+The ``--permanent`` option may be passed to the above firewall-cmd invocations
in order for the services to be permanently added to the firewalld
-configuration. This way it is not necessary to re-issue the commands eaach
+configuration. This way it is not necessary to re-issue the commands each
time the firewalld service restarts.
The ovn-host-firewall-service only opens port 6081. This is because the
@@ -106,5 +103,5 @@ more secure environment, it is a good idea to do the following
* Use tools such as iptables or nftables to restrict access to known hosts.
* Use SSL for all remote connections to OVN databases.
-* Use role based access control for connections to the OVN southbound
+* Use role-based access control for connections to the OVN southbound
More information about the dev