Bug 1403331

Summary: We need to be able to run firewalld on atomic host as a system container.
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bmeng, dustymabe, ghuang, gscrivan, jonte.regnell, rteague, twoerner, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-12 15:18:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1422673    

Description Daniel Walsh 2016-12-09 16:49:16 UTC 
Atomic Host currently does not ship with firewalld, but OpenShift would like to use it.  If we could ship it as a System Container we would be able to optionally install it and then use it from Docker as well as Kubernetes.  

We currently are building some system containers here.

https://github.com/rhatdan/atomic-system-containers
Comment 1 Daniel Walsh 2016-12-09 16:50:41 UTC 
Thomas, if you could take a quick look at this to see if there was anything specific that would prevent us from doing this with firewalld.
Comment 2 Thomas Woerner 2016-12-09 17:23:33 UTC 
All firewalls in a container have some limitations in my opinion because of possible packet changes in the host before even reaching the container.

I do not see a reason that would prevent from using firewalld in a container as long as there is a way to properly use netfilter utilities like iptables etc. This would also apply to other firewalls.

The only question for me right now is how to make the D-Bus interface usable within other containers, if this is needed.
Comment 3 Colin Walters 2016-12-10 18:49:20 UTC 
You'd clearly have to use host's network namespace - we have a number of other containers that do this, like the OpenShift router.  You'd also have the iptables binaries inside the container.

The DBus interface I think can be done by just binding in the host system bus socket.

One long term question is around the higher level interactions with other host processes and other containers.  Right now NetworkManager talks to firewalld - and we're bus activated even right?  The "host exposure" of firewalld includes the polkit rules, and some other processes on the host or other containers may run firewall-cmd.

So ultimately this would work best with https://github.com/projectatomic/atomic/pull/767
Comment 4 Colin Walters 2016-12-12 14:33:18 UTC 
It looks like the OCP installer uses Ansible's firewalld module which requires the `python-firewall` bindings on the host currently (as all Ansible tends to do).  That's going to be a pain.

Long term, the biggest win will be teaching Ansible how to delegate operations to containers on the host.  Short term...what openshift-ansible is doing seems relatively simplistic - "ensure these rules are allow, ensure these rules are deny", and perhaps it could be reworked to pass that data off to the firewalld container.
Comment 5 Fedora End Of Life 2017-02-28 10:45:37 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 6 Jan Kurik 2017-08-15 09:34:04 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 7 Giuseppe Scrivano 2017-12-05 16:25:16 UTC 
system container work being done here:

https://github.com/projectatomic/atomic-system-containers/pull/150
Comment 8 Dusty Mabe 2018-02-12 15:18:17 UTC 
we are shipping firewalld in atomic host with RHELAH 7.5 so we should not longer need to do this work.