Atomic Host currently does not ship with firewalld, but OpenShift would like to use it. If we could ship it as a System Container we would be able to optionally install it and then use it from Docker as well as Kubernetes. We currently are building some system containers here. https://github.com/rhatdan/atomic-system-containers
Thomas, if you could take a quick look at this to see if there was anything specific that would prevent us from doing this with firewalld.
All firewalls in a container have some limitations in my opinion because of possible packet changes in the host before even reaching the container. I do not see a reason that would prevent from using firewalld in a container as long as there is a way to properly use netfilter utilities like iptables etc. This would also apply to other firewalls. The only question for me right now is how to make the D-Bus interface usable within other containers, if this is needed.
You'd clearly have to use host's network namespace - we have a number of other containers that do this, like the OpenShift router. You'd also have the iptables binaries inside the container. The DBus interface I think can be done by just binding in the host system bus socket. One long term question is around the higher level interactions with other host processes and other containers. Right now NetworkManager talks to firewalld - and we're bus activated even right? The "host exposure" of firewalld includes the polkit rules, and some other processes on the host or other containers may run firewall-cmd. So ultimately this would work best with https://github.com/projectatomic/atomic/pull/767
It looks like the OCP installer uses Ansible's firewalld module which requires the `python-firewall` bindings on the host currently (as all Ansible tends to do). That's going to be a pain. Long term, the biggest win will be teaching Ansible how to delegate operations to containers on the host. Short term...what openshift-ansible is doing seems relatively simplistic - "ensure these rules are allow, ensure these rules are deny", and perhaps it could be reworked to pass that data off to the firewalld container.
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
system container work being done here: https://github.com/projectatomic/atomic-system-containers/pull/150
we are shipping firewalld in atomic host with RHELAH 7.5 so we should not longer need to do this work.