Bug 1403331 - We need to be able to run firewalld on atomic host as a system container.
Summary: We need to be able to run firewalld on atomic host as a system container.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Garver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1422673
TreeView+ depends on / blocked
 
Reported: 2016-12-09 16:49 UTC by Daniel Walsh
Modified: 2018-02-12 15:18 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-12 15:18:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Daniel Walsh 2016-12-09 16:49:16 UTC 
Atomic Host currently does not ship with firewalld, but OpenShift would like to use it.  If we could ship it as a System Container we would be able to optionally install it and then use it from Docker as well as Kubernetes.  

We currently are building some system containers here.

https://github.com/rhatdan/atomic-system-containers
Comment 1 Daniel Walsh 2016-12-09 16:50:41 UTC 
Thomas, if you could take a quick look at this to see if there was anything specific that would prevent us from doing this with firewalld.
Comment 2 Thomas Woerner 2016-12-09 17:23:33 UTC 
All firewalls in a container have some limitations in my opinion because of possible packet changes in the host before even reaching the container.

I do not see a reason that would prevent from using firewalld in a container as long as there is a way to properly use netfilter utilities like iptables etc. This would also apply to other firewalls.

The only question for me right now is how to make the D-Bus interface usable within other containers, if this is needed.
Comment 3 Colin Walters 2016-12-10 18:49:20 UTC 
You'd clearly have to use host's network namespace - we have a number of other containers that do this, like the OpenShift router.  You'd also have the iptables binaries inside the container.

The DBus interface I think can be done by just binding in the host system bus socket.

One long term question is around the higher level interactions with other host processes and other containers.  Right now NetworkManager talks to firewalld - and we're bus activated even right?  The "host exposure" of firewalld includes the polkit rules, and some other processes on the host or other containers may run firewall-cmd.

So ultimately this would work best with https://github.com/projectatomic/atomic/pull/767
Comment 4 Colin Walters 2016-12-12 14:33:18 UTC 
It looks like the OCP installer uses Ansible's firewalld module which requires the `python-firewall` bindings on the host currently (as all Ansible tends to do).  That's going to be a pain.

Long term, the biggest win will be teaching Ansible how to delegate operations to containers on the host.  Short term...what openshift-ansible is doing seems relatively simplistic - "ensure these rules are allow, ensure these rules are deny", and perhaps it could be reworked to pass that data off to the firewalld container.
Comment 5 Fedora End Of Life 2017-02-28 10:45:37 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.
Comment 6 Jan Kurik 2017-08-15 09:34:04 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 7 Giuseppe Scrivano 2017-12-05 16:25:16 UTC 
system container work being done here:

https://github.com/projectatomic/atomic-system-containers/pull/150
Comment 8 Dusty Mabe 2018-02-12 15:18:17 UTC 
we are shipping firewalld in atomic host with RHELAH 7.5 so we should not longer need to do this work.
Note You need to log in before you can comment on or make changes to this bug.