Bug 1313160 - [RFE]Allow firewalld for Openshift installation
[RFE]Allow firewalld for Openshift installation
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Scott Dodson
Johnny Liu
Depends On:
  Show dependency treegraph
Reported: 2016-03-01 01:42 EST by Jaspreet Kaur
Modified: 2017-07-24 10 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Firewalld support at installation time. Reason: Improved firewall management Result: OCP 3.5 running on RHEL will allow the use of firewalld by setting os_firewall_use_firewalld=true Atomic Host will continue to default to iptables as firewalld is not available there.
Story Points: ---
Clone Of:
Last Closed: 2017-05-05 08:38:22 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jaspreet Kaur 2016-03-01 01:42:38 EST
1. Proposed title of this feature request  
 Allow firewalld for Openshift installation
3. What is the nature and description of the request?  
At present firewalld is not supported for Openshift installation and it has to be disabled before starting installation. The request is to allow firewalld along with iptables i.e either one can be used.

4. Why does the customer need this? (List the business requirements here)  
Our company base system uses and depends on firewalld. We cannot disable firewalld without breaking essentials parts of the base system. Hence, it is necessary for us to enable firewalld

5. How would the customer like to achieve this? (List the functional requirements here)

firewalld should be enabled and supported with Openshift Enterprise 3

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

Yes we are ready to test after enabling firewalld.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  


8. Does the customer have any specific timeline dependencies and which release would they like to target?

9. Is the sales team involved in this request and do they have any additional input? 

no, but is a POC
10. List any affected packages or components.  
11. Would the customer be able to assist in testing this functionality if implemented?  

Comment 10 Gan Huang 2017-03-03 01:30:31 EST
In fresh 3.5 installs, firewalld will be used by default with RHEL, and iptables will still be used on Atomic Host due to BZ#1403331.

We can also use iptables with RHEL in fresh installs by specifying the following in inventory hosts:


I'm going to move verified as firewalld is already supported in 3.5. Feel free to move back if anything else is needed.
Comment 14 Scott Dodson 2017-05-05 08:38:22 EDT
It's possible to use firewalld now by setting os_firewall_use_firewalld=true however it's not currently the default and may or may not ever become the default. I'm going to mark this as CLOSED CURRENTRELEASE because the initial request is to allow it not to make it the default.

Note You need to log in before you can comment on or make changes to this bug.