cross posted with this Project Atomic blog post
TL;DR
Fedora Atomic Host (and derivatives) will now include the firewalld
package in the base OSTree that is tested, delivered, and released
every two weeks. Existing users should observe no change as it won’t
be enabled by default.
Firewalld in Atomic Host
In the past we have had requests to have firewalld
in Atomic Host
to enable a better interface into firewall management for
administrators and management software. It turns out that if you have
lots of rules to manage, or even multiple pieces of software trying to
manage different sets of rules on a single system, then iptables
becomes a limitation pretty quickly.
Atomic Host users do have the ability to package layer firewalld
,
but live changes to the host
are currently experimental. Since rebooting during system provisioning
in certain environments is not desirable, and firewalld
is
relatively small, the Fedora Atomic Working Group
decided to include firewalld
in the
base OSTree.
In order to not affect existing users the firewalld
service will be
disabled by default. Existing users should observe no change in behavior.
Users who want to use firewalld
can enable/start the service and start
using it immediately.
Scenarios
So you’re an existing or new user of Atomic Host. What does this mean for you?
I have Atomic Host systems that are already running:
You can rpm-ostree upgrade
like normal. The new firewalld
package
will be delivered as part of updates but won’t be enabled so
you should see no change in functionality.
I use the Atomic Host cloud/vagrant images to start new systems:
Nothing will change here. We explicitly disable the firewall in the cloud image kickstarts since cloud environments typically have a higher level firewall mechanism, like security groups.
I install new systems interactively using the ISO:
You should be able to interactively install Atomic Host just fine.
firewalld
will not be enabled by default.
I install new systems using the ISO with a kickstart file:
In this case if you don’t have a firewall ...
line in the kickstart
file then you need to add one to say what you want to do. You have
three options:
firewall --enable
firewall --disable
firewall --use-system-defaults
The first two options are pretty clear. The last option is a little more unclear. This option was actually added to anaconda / pykickstart to enable us to ask anaconda to leave the system defaults in place so that we could deliver a default in the OSTree and have Anaconda respect that default.
Migrating a system to use firewalld
If you have booted a system and you want to configure it to use
firewalld then you can simply enable/start it using systemctl
.
It’s a good idea to also restart docker, which does some detection
on startup to determine what firewall management tool is used.
You can do this by either restarting the docker service or rebooting
your system so all services restart.
# systemctl enable firewalld
# systemctl start firewalld
# systemctl restart docker
Using firewalld with OpenShift Origin
If you want to use firewalld with OpenShift and you use the
OpenShift Ansible
installer then you can now
set a few variables in your inventory file to tell the installer
you want it to use firewalld
to manage the firewall. Here are
the few variables:
[OSEv3:vars]
os_firewall_use_firewalld=true
openshift_enable_unsupported_configurations=true