Red Hat Bugzilla – Bug 1313160
[RFE]Allow firewalld for Openshift installation
Last modified: 2017-07-24 10:11 EDT
1. Proposed title of this feature request
Allow firewalld for Openshift installation
3. What is the nature and description of the request?
At present firewalld is not supported for Openshift installation and it has to be disabled before starting installation. The request is to allow firewalld along with iptables i.e either one can be used.
4. Why does the customer need this? (List the business requirements here)
Our company base system uses and depends on firewalld. We cannot disable firewalld without breaking essentials parts of the base system. Hence, it is necessary for us to enable firewalld
5. How would the customer like to achieve this? (List the functional requirements here)
firewalld should be enabled and supported with Openshift Enterprise 3
6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Yes we are ready to test after enabling firewalld.
7. Is there already an existing RFE upstream or in Red Hat Bugzilla?
8. Does the customer have any specific timeline dependencies and which release would they like to target?
9. Is the sales team involved in this request and do they have any additional input?
no, but is a POC
10. List any affected packages or components.
11. Would the customer be able to assist in testing this functionality if implemented?
In fresh 3.5 installs, firewalld will be used by default with RHEL, and iptables will still be used on Atomic Host due to BZ#1403331.
We can also use iptables with RHEL in fresh installs by specifying the following in inventory hosts:
I'm going to move verified as firewalld is already supported in 3.5. Feel free to move back if anything else is needed.
It's possible to use firewalld now by setting os_firewall_use_firewalld=true however it's not currently the default and may or may not ever become the default. I'm going to mark this as CLOSED CURRENTRELEASE because the initial request is to allow it not to make it the default.