[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] firewalld in atomic host



On Tue, Apr 25, 2017 at 5:42 AM, Ben Breard <bbreard redhat com> wrote:
> I'm starting to warm up to the idea of adding firewalld in Atomic Host. If
> we do this, it would be a requirement to clean up the absurd default zones &
> policies and have something relevant for AH out of the box.

+1

for AH, and to play nice with OCP/Kube by default - if used in that use-case.

- fabian

> On Mon, Apr 24, 2017 at 9:13 PM, Jason DeTiberus <jdetiber redhat com>
> wrote:
>>
>>
>>
>> On Sun, Apr 23, 2017 at 11:33 PM, Dusty Mabe <dusty dustymabe com> wrote:
>>>
>>>
>>>
>>> On 04/21/2017 01:42 PM, Jason DeTiberus wrote:
>>> >
>>> > While I can see firewalld improving the situation wrt documenting how
>>> > to add/persist firewall changes for Atomic Host (especially when using
>>> > moby/docker), I think there is a bigger concern with firewalld being absent.
>>> > If a user is running multiple applications that modify the host firewall
>>> > (docker, Kubernetes, OpenShift, etc), firewalld provides a way to make
>>> > firewall modifications in a consistent and repeatable manner, where iptables
>>> > does not. There is the --wait flag for iptables, however any
>>> > applications/users that are interacting with iptables will need to ensure
>>> > they use it consistently.
>>> >
>>>
>>> So you are saying firewalld makes your life easier if it was
>>> available?
>>
>>
>> Correct, The iptables-based management that is done in openshift-ansible
>> has always been a hack that was only meant to be a stopgap until firewalld
>> was fully supported up and down the entire stack. There are way too many
>> edge cases that could cause issues with the create/save/restore process. We
>> tried to limit those by using a dedicated chain for openshift-ansible rules,
>> but having another process modify rules without using '-w' or other
>> modifications to the firewall could inadvertently be persisted with the
>> iptables-save.
>>
>> As mentioned in another reply on the thread, layered packages would allow
>> for firewalld to be used today, but the restart requirement adds another
>> level of complexity that adds the potential for non-determinism to the
>> OpenShift install process. Having both iptables and firewalld available in
>> the base would allow for parity between AH-based and non-AH-based installs.
>>
>> --
>> Jason DeTiberus
>
>
>
>
> --
>
> Ben Breard
> Sr Technology Product Manager - Linux Containers
> Mobile: 972-816-9081


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]