)]}'
{"doc/source/install/storage-install-rdo.rst":[{"author":{"_account_id":15343,"name":"Tim Burke","email":"tburke@nvidia.com","username":"tburke"},"change_message_id":"687f49fbe6b2c354cf4115e775ae3851d72a73e0","unresolved":false,"context_lines":[{"line_number":169,"context_line":"      # firewall-cmd --permanent --add-port\u003d6202/tcp"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"   The rsync service includes its own firewall configuration."},{"line_number":172,"context_line":"   Connect from one node to another to ensure that access is allowed."}],"source_content_type":"text/x-rst","patch_set":1,"id":"bf51134e_1fde273d","line":172,"updated":"2020-07-13 23:58:27.000000000","message":"Should we have something similar on https://docs.openstack.org/swift/latest/install/controller-install-rdo.html to open up 8080? Or are we assuming that some other service like haproxy or apache2 or hitch or blahblahblah will be fronting it?\n\nShould we consider publishing some XML so users can run\n\n firewall-cmd --permanent --new-service-from-file\u003d...\n\n? If so, should it be one file per layer, or all in one?","commit_id":"a5ec383260303d6b035e19294967a63d092d55b5"},{"author":{"_account_id":597,"name":"Pete Zaitcev","email":"zaitcev@kotori.zaitcev.us","username":"zaitcev"},"change_message_id":"383f4142d30fce615b312bd35900a5c710c97e73","unresolved":false,"context_lines":[{"line_number":169,"context_line":"      # firewall-cmd --permanent --add-port\u003d6202/tcp"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"   The rsync service includes its own firewall configuration."},{"line_number":172,"context_line":"   Connect from one node to another to ensure that access is allowed."}],"source_content_type":"text/x-rst","patch_set":1,"id":"bf51134e_a866d94f","line":172,"in_reply_to":"bf51134e_1fde273d","updated":"2020-07-14 17:11:19.000000000","message":"In the immediate problem environment, RH OSP Director manages so-called \"controller\" nodes, which host Swift proxy, and \"external storage nodes\" are the only ones configured without Director. But from the upstream perspective, I think it would be right to mention proxies and rsync too. Unfortunately, adding pre-canned firewalld descriptors is difficult. They are often made to allow traffic from everywhere, and operators only allow traffic from their load balancers. I\u0027m afraid to create insecure-by-default installations.","commit_id":"a5ec383260303d6b035e19294967a63d092d55b5"}]}