From ea0d4f256bb64c9121f8ba882efb1ba75b48adf5 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Fri, 24 Nov 2017 14:33:57 +0000 Subject: [PATCH 1/7] WIP: firewalld system containers The container is still work in progress. The docker file can be compiled successfully. However, when starting the service via systemctl, the command will time out eventually. I have a few thoughts for debugging, will take a while to figure it out. Have it here first for some feedback :). (will modify the commit message once lifting the WIP ) --- firewalld/Dockerfile | 40 ++++ firewalld/config.json.template | 388 +++++++++++++++++++++++++++++++++ firewalld/manifest.json | 3 + firewalld/run.sh | 4 + firewalld/service.template | 19 ++ firewalld/tmpfiles.template | 0 6 files changed, 454 insertions(+) create mode 100644 firewalld/Dockerfile create mode 100644 firewalld/config.json.template create mode 100644 firewalld/manifest.json create mode 100755 firewalld/run.sh create mode 100644 firewalld/service.template create mode 100644 firewalld/tmpfiles.template diff --git a/firewalld/Dockerfile b/firewalld/Dockerfile new file mode 100644 index 0000000..96ec234 --- /dev/null +++ b/firewalld/Dockerfile @@ -0,0 +1,40 @@ +# Would it be too large to use fedora as base? +FROM registry.fedoraproject.org/fedora:latest + +ENV VERSION=0 RELEASE=1 ARCH=X86_64 + +LABEL com.redhat.component="firewalld" \ + name="$FGC/firewalld" \ + version="$VERSION" \ + release="$RELEASE.$DISTTAG" \ + architecture="$ARCH" \ + usage="atomic install --system --system-package=no firewalld && systemctl start firewalld" \ + summary="The firewalld as a system container." \ + maintainer="Rui xin Bao " \ + atomic.type="system" + +RUN dnf install --setopt=tsflags=nodocs -y firewalld && \ + rpm -V firewalld && \ + dnf clean all && \ + mkdir -p /exports/hostfs/var/log/ && \ + mkdir -p /exports/hostfs/etc/{sysconfig,firewalld} && \ + mkdir -p /exports/hostfs/usr/share/polkit-1/actions && \ + mkdir -p /exports/hostfs/etc/dbus-1/system.d && \ + cp /etc/sysconfig/firewalld /exports/hostfs/etc/sysconfig && \ + # Copy all the polkit related files into current polkit + cp /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.* /exports/hostfs/usr/share/polkit-1/actions && \ + # Copy entire firewalld related configuration file into host + cp -r /etc/firewalld/* /exports/hostfs/etc/firewalld && \ + # Copy the dbus configuration file into the host + cp /etc/dbus-1/system.d/FirewallD.conf /exports/hostfs/etc/dbus-1/system.d && \ + # We need /var/log/firewalld for firewalld to write messages + touch /exports/hostfs/var/log/firewalld + + +COPY run.sh /usr/bin/ + +# System container files +COPY tmpfiles.template service.template manifest.json config.json.template /exports/ + +CMD ["/usr/bin/run.sh"] + diff --git a/firewalld/config.json.template b/firewalld/config.json.template new file mode 100644 index 0000000..cb7651f --- /dev/null +++ b/firewalld/config.json.template @@ -0,0 +1,388 @@ +{ + "ociVersion": "1.0.0", + "platform": { + "os": "linux", + "arch": "amd64" + }, + "process": { + "terminal": false, + "user": { + "uid": 0, + "gid": 0 + }, + "args": [ + "/usr/bin/run.sh" + ], + "env": [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", + "NAME=$NAME" + ], + "cwd": "/", + "capabilities": { + "bounding": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "permitted": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "inheritable": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "effective": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ], + "ambient": [ + "CAP_CHOWN", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_DAC_OVERRIDE", + "CAP_MAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ" + ] + }, + "noNewPrivileges": false + }, + "root": { + "path": "rootfs", + "readonly": true + }, + "hooks": {}, + "linux": { + "resources": { + "devices": [ + { + "allow": true, + "access": "rwm" + } + ] + }, + "namespaces": [ + { + "type": "mount" + } + ] + }, + "mounts": [ + { + "destination": "/proc", + "type": "proc", + "source": "proc" + }, + { + "type": "bind", + "source": "/dev", + "destination": "/dev", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/dev/log", + "destination": "/dev/log", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "destination": "/dev/pts", + "type": "devpts", + "source": "devpts", + "options": [ + "nosuid", + "noexec", + "newinstance", + "ptmxmode=0666", + "mode=0620", + "gid=5" + ] + }, + { + "destination": "/dev/shm", + "type": "tmpfs", + "source": "shm", + "options": [ + "nosuid", + "noexec", + "nodev", + "mode=1777", + "size=65536k" + ] + }, + { + "destination": "/sys", + "type": "bind", + "source": "/sys", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/home", + "destination": "/home", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/root", + "destination": "/root", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/etc/firewalld", + "destination": "/etc/firewalld", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/etc/sysconfig/firewalld", + "destination": "/etc/sysconfig/firewalld", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "destination": "/etc/resolv.conf", + "type": "bind", + "source": "/etc/resolv.conf", + "options": [ + "ro", + "rbind", + "rprivate" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}/dbus/system_bus_socket", + "destination": "/var/run/dbus/system_bus_socket", + "options": [ + "ro", + "rbind", + "rprivate" + ] + }, + { + "type": "bind", + "source": "${RUN_DIRECTORY}/${NAME}", + "destination": "/run/firewalld", + "options": [ + "rbind", + "rw", + "mode=755" + ] + }, + { + "type": "bind", + "source": "/var/log/firewalld", + "destination": "/var/log/firewalld", + "options": [ + "rbind", + "rw", + "mode=755" + ] + } + ] +} diff --git a/firewalld/manifest.json b/firewalld/manifest.json new file mode 100644 index 0000000..0445027 --- /dev/null +++ b/firewalld/manifest.json @@ -0,0 +1,3 @@ +{ + "version": "1.0" +} diff --git a/firewalld/run.sh b/firewalld/run.sh new file mode 100755 index 0000000..dc84210 --- /dev/null +++ b/firewalld/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash +OPTIONS="--nofork --nopid" +. /etc/sysconfig/firewalld +exec /usr/sbin/firewalld $OPTIONS diff --git a/firewalld/service.template b/firewalld/service.template new file mode 100644 index 0000000..0da8bdd --- /dev/null +++ b/firewalld/service.template @@ -0,0 +1,19 @@ +[Unit] +Description=firewalld - dynamic firewall daemon +Before=network-pre.target +Wants=network-pre.target +After=dbus.service +Requires=dbus.service +Conflicts=iptables.service ip6tables.service ebtables.service ipset.service + +[Service] +Type=notify +EnvironmentFile=-/etc/sysconfig/firewalld +ExecStart=$EXEC_START +ExecStop=$EXEC_STOP +Restart=on-failure +WorkingDirectory=$DESTDIR +RuntimeDirectory=${NAME} + +[Install] +WantedBy=multi-user.target diff --git a/firewalld/tmpfiles.template b/firewalld/tmpfiles.template new file mode 100644 index 0000000..e69de29 From 4992b606b3b5ae58efd065a240aac495320b0fe8 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Fri, 24 Nov 2017 15:28:00 +0000 Subject: [PATCH 2/7] fixup! WIP: firewalld system containers --- firewalld/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/firewalld/Dockerfile b/firewalld/Dockerfile index 96ec234..1da60d0 100644 --- a/firewalld/Dockerfile +++ b/firewalld/Dockerfile @@ -30,6 +30,13 @@ RUN dnf install --setopt=tsflags=nodocs -y firewalld && \ # We need /var/log/firewalld for firewalld to write messages touch /exports/hostfs/var/log/firewalld +# Copy the associated binaries to the corresponding location, because firewalld going to use them +RUN mkdir -p /exports/hostfs/sbin && \ + mkdir -p /exports/hostfs/usr/sbin && \ + mkdir -p /exports/hostfs/usr/lib/firewalld && \ + cp -r /usr/lib/firewalld/* /exports/hostfs/usr/lib/firewalld && \ + cp /usr/sbin/ebtables /exports/hostfs/usr/sbin/ && \ + cp /usr/sbin/ipset /exports/hostfs/sbin/ COPY run.sh /usr/bin/ @@ -37,4 +44,3 @@ COPY run.sh /usr/bin/ COPY tmpfiles.template service.template manifest.json config.json.template /exports/ CMD ["/usr/bin/run.sh"] - From 67037e037a8f8c2dc7953a8319d95f59de57a7c1 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Mon, 4 Dec 2017 04:33:51 +0000 Subject: [PATCH 3/7] fixup! WIP: firewalld system containers --- firewalld/Dockerfile | 15 +++----- firewalld/config.json.template | 63 ++-------------------------------- firewalld/service.template | 3 +- 3 files changed, 9 insertions(+), 72 deletions(-) diff --git a/firewalld/Dockerfile b/firewalld/Dockerfile index 1da60d0..2ff2cf2 100644 --- a/firewalld/Dockerfile +++ b/firewalld/Dockerfile @@ -13,16 +13,16 @@ LABEL com.redhat.component="firewalld" \ maintainer="Rui xin Bao " \ atomic.type="system" -RUN dnf install --setopt=tsflags=nodocs -y firewalld && \ - rpm -V firewalld && \ +RUN dnf install --setopt=tsflags=nodocs -y firewalld kmod && \ + rpm -V firewalld kmod && \ dnf clean all && \ mkdir -p /exports/hostfs/var/log/ && \ mkdir -p /exports/hostfs/etc/{sysconfig,firewalld} && \ - mkdir -p /exports/hostfs/usr/share/polkit-1/actions && \ + mkdir -p /exports/hostfs/usr/local/share/polkit-1/actions && \ mkdir -p /exports/hostfs/etc/dbus-1/system.d && \ cp /etc/sysconfig/firewalld /exports/hostfs/etc/sysconfig && \ # Copy all the polkit related files into current polkit - cp /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.* /exports/hostfs/usr/share/polkit-1/actions && \ + cp /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.* /exports/hostfs/usr/local/share/polkit-1/actions && \ # Copy entire firewalld related configuration file into host cp -r /etc/firewalld/* /exports/hostfs/etc/firewalld && \ # Copy the dbus configuration file into the host @@ -31,12 +31,7 @@ RUN dnf install --setopt=tsflags=nodocs -y firewalld && \ touch /exports/hostfs/var/log/firewalld # Copy the associated binaries to the corresponding location, because firewalld going to use them -RUN mkdir -p /exports/hostfs/sbin && \ - mkdir -p /exports/hostfs/usr/sbin && \ - mkdir -p /exports/hostfs/usr/lib/firewalld && \ - cp -r /usr/lib/firewalld/* /exports/hostfs/usr/lib/firewalld && \ - cp /usr/sbin/ebtables /exports/hostfs/usr/sbin/ && \ - cp /usr/sbin/ipset /exports/hostfs/sbin/ +RUN cp -r /usr/lib/firewalld/* /exports/hostfs/etc/firewalld COPY run.sh /usr/bin/ diff --git a/firewalld/config.json.template b/firewalld/config.json.template index cb7651f..ffb0ecd 100644 --- a/firewalld/config.json.template +++ b/firewalld/config.json.template @@ -1,9 +1,5 @@ { "ociVersion": "1.0.0", - "platform": { - "os": "linux", - "arch": "amd64" - }, "process": { "terminal": false, "user": { @@ -259,41 +255,6 @@ "mode=755" ] }, - { - "type": "bind", - "source": "/dev/log", - "destination": "/dev/log", - "options": [ - "rbind", - "rw", - "mode=755" - ] - }, - { - "destination": "/dev/pts", - "type": "devpts", - "source": "devpts", - "options": [ - "nosuid", - "noexec", - "newinstance", - "ptmxmode=0666", - "mode=0620", - "gid=5" - ] - }, - { - "destination": "/dev/shm", - "type": "tmpfs", - "source": "shm", - "options": [ - "nosuid", - "noexec", - "nodev", - "mode=1777", - "size=65536k" - ] - }, { "destination": "/sys", "type": "bind", @@ -304,26 +265,6 @@ "mode=755" ] }, - { - "type": "bind", - "source": "/home", - "destination": "/home", - "options": [ - "rbind", - "rw", - "mode=755" - ] - }, - { - "type": "bind", - "source": "/root", - "destination": "/root", - "options": [ - "rbind", - "rw", - "mode=755" - ] - }, { "type": "bind", "source": "/etc/firewalld", @@ -336,8 +277,8 @@ }, { "type": "bind", - "source": "/etc/sysconfig/firewalld", - "destination": "/etc/sysconfig/firewalld", + "source": "/etc/sysconfig", + "destination": "/etc/sysconfig", "options": [ "rbind", "rw", diff --git a/firewalld/service.template b/firewalld/service.template index 0da8bdd..b0346fa 100644 --- a/firewalld/service.template +++ b/firewalld/service.template @@ -7,13 +7,14 @@ Requires=dbus.service Conflicts=iptables.service ip6tables.service ebtables.service ipset.service [Service] -Type=notify EnvironmentFile=-/etc/sysconfig/firewalld ExecStart=$EXEC_START ExecStop=$EXEC_STOP Restart=on-failure WorkingDirectory=$DESTDIR RuntimeDirectory=${NAME} +Type=dbus +BusName=org.fedoraproject.FirewallD1 [Install] WantedBy=multi-user.target From c561373033d9eb6b479a7eff4ec7a349de81e7b1 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Mon, 4 Dec 2017 20:13:01 +0000 Subject: [PATCH 4/7] fixup! WIP: firewalld system containers --- firewalld/Dockerfile | 8 +++----- firewalld/config.json.template | 10 ++++++++++ firewalld/service.template | 1 + 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/firewalld/Dockerfile b/firewalld/Dockerfile index 2ff2cf2..69d743a 100644 --- a/firewalld/Dockerfile +++ b/firewalld/Dockerfile @@ -20,19 +20,17 @@ RUN dnf install --setopt=tsflags=nodocs -y firewalld kmod && \ mkdir -p /exports/hostfs/etc/{sysconfig,firewalld} && \ mkdir -p /exports/hostfs/usr/local/share/polkit-1/actions && \ mkdir -p /exports/hostfs/etc/dbus-1/system.d && \ + cp /etc/sysconfig/firewalld /exports/hostfs/etc/sysconfig && \ - # Copy all the polkit related files into current polkit + # Copy all the polkit related policy file into a substitute folder '/usr/local/share' as other /usr parts are read only cp /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.* /exports/hostfs/usr/local/share/polkit-1/actions && \ # Copy entire firewalld related configuration file into host cp -r /etc/firewalld/* /exports/hostfs/etc/firewalld && \ - # Copy the dbus configuration file into the host + # Copy the dbus configuration file into the host, as we are using host's dbus socket cp /etc/dbus-1/system.d/FirewallD.conf /exports/hostfs/etc/dbus-1/system.d && \ # We need /var/log/firewalld for firewalld to write messages touch /exports/hostfs/var/log/firewalld -# Copy the associated binaries to the corresponding location, because firewalld going to use them -RUN cp -r /usr/lib/firewalld/* /exports/hostfs/etc/firewalld - COPY run.sh /usr/bin/ # System container files diff --git a/firewalld/config.json.template b/firewalld/config.json.template index ffb0ecd..28f8b56 100644 --- a/firewalld/config.json.template +++ b/firewalld/config.json.template @@ -324,6 +324,16 @@ "rw", "mode=755" ] + }, + { + "type": "bind", + "source": "/usr/lib/modules", + "destination": "/usr/lib/modules", + "options": [ + "rbind", + "ro", + "rslave" + ] } ] } diff --git a/firewalld/service.template b/firewalld/service.template index b0346fa..e831d8e 100644 --- a/firewalld/service.template +++ b/firewalld/service.template @@ -15,6 +15,7 @@ WorkingDirectory=$DESTDIR RuntimeDirectory=${NAME} Type=dbus BusName=org.fedoraproject.FirewallD1 +KillMode=none [Install] WantedBy=multi-user.target From ba674b85e61da53cfcf29c509da66d68a9030af5 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Mon, 4 Dec 2017 20:13:26 +0000 Subject: [PATCH 5/7] firewalld: Add documentation Includes initial README.md file for guidelines --- firewalld/README.md | 65 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 firewalld/README.md diff --git a/firewalld/README.md b/firewalld/README.md new file mode 100644 index 0000000..2e79932 --- /dev/null +++ b/firewalld/README.md @@ -0,0 +1,65 @@ +# firewalld + +This is firewalld daemon as a system container. + +## Building the image from source: + +``` +# git clone https://github.com/projectatomic/atomic-system-containers +# cd atomic-system-containers/firewalld +# docker build -t firewalld . +``` + +## Running the system container, with the atomic CLI: + +Pull from registry into ostree: + +``` +# atomic pull --storage ostree $REGISTRY/firewalld +``` + +Or alternatively, pull from local docker: + +``` +# atomic pull --storage ostree docker:firewalld:latest +``` + +Install the container: + +Currently we recommend using --system-package=no to avoid having rpmbuild create an rpm file +during installation. This flag will tell the atomic CLI to fall back to copying files to the +host instead. + +``` +# atomic install --system --system-package=no --name=firewalld ($REGISTRY)/firewalld +``` + +Or alternatively, without specifying Registry, it will default to ostree image: + +``` +# atomic install --system --system-package=no --name=firewalld firewalld +``` + +Start as a systemd service: + +``` +# systemctl start firewalld +``` + +Stopping the service + +``` +# systemctl stop firewalld +``` + +Removing the container + +``` +# atomic uninstall firewalld +``` + +Or alternatively, you can do: + +``` +# atomic containers delete firewalld +``` From f310fe1d8f4ab306b8cd291587085ad07e0da233 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Thu, 7 Dec 2017 17:30:12 +0000 Subject: [PATCH 6/7] fixup! WIP: firewalld system containers --- firewalld/service.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/firewalld/service.template b/firewalld/service.template index e831d8e..3771a34 100644 --- a/firewalld/service.template +++ b/firewalld/service.template @@ -3,7 +3,9 @@ Description=firewalld - dynamic firewall daemon Before=network-pre.target Wants=network-pre.target After=dbus.service +After=polkit.service Requires=dbus.service +Wants=polkit.service Conflicts=iptables.service ip6tables.service ebtables.service ipset.service [Service] From 50479bbd5e85c36eddb3c0652be16bf193086745 Mon Sep 17 00:00:00 2001 From: Ruixin Bao Date: Thu, 7 Dec 2017 17:32:15 +0000 Subject: [PATCH 7/7] fixup! firewalld: Add documentation --- firewalld/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/firewalld/README.md b/firewalld/README.md index 2e79932..378cc06 100644 --- a/firewalld/README.md +++ b/firewalld/README.md @@ -40,6 +40,13 @@ Or alternatively, without specifying Registry, it will default to ostree image: # atomic install --system --system-package=no --name=firewalld firewalld ``` +Before you start the service, you need to reload dbus before it considers +the new configuration. (make sure you are under root when execute this!) + +``` +killall -SIGHUP dbus-daemon +``` + Start as a systemd service: ```