Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:ALP:Workloads
firewalld-container
README.md
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File README.md of Package firewalld-container
# Firewalld Container Image Firewall daemon (firewalld) container image with nftables as backend ## Run a firewalld instance The firewalld container needs access to the host network and needs to run as privileged container. This container image uses the system dbus instance. This means, that you need to install at first the dbus and polkit configuration files. Optional you can use the dbus daemon provided by the container image. But this means that other applications on the Host OS like NetworkManager, wicked, podman and similar cannot manage the firewall rules. The container image provides four runlabels: * INSTALL: installs the dbus and polkit files, a firewall-cmd wrapper and a systemd service * UPDATE: updates the installed files if the ones from the container differs * UNINSTALL: removes the by `INSTALL` created files except for configuration files * RUN: starts the container. /etc/firewalld and the dbus socket will be mounted into the container ### Initialize the system ``` # podman container runlabel install registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld ``` Will prepare the system. The following files will be created on the host OS: * /etc/dbus-1/system.d/FirewallD.conf * /etc/polkit-1/actions/org.fedoraproject.FirewallD1.policy * /etc/systemd/system/firewalld.service * /etc/default/container-firewalld * /usr/local/bin/firewall-cmd The polkit policy will only be installed if polkit itself is installed. It may be necessary to restart the dbus and polkit daemon afterwards. `/usr/local/bin/firewall-cmd` is a wrapper to call firewall-cmd inside the container. docker and podman are supported. The systemd service and the corresponding config file `/etc/default/container-firewalld` allow to start/stop the container with systemd if podman is used as container runtime. ### Running the container #### runlabel To run the firewall container with the label `RUN`: ``` # podman container runlabel run registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld ``` This command will run the container as privileged container with host network. Additional /etc/firewalld and the dbus socket are mounted into the container. #### systemd/podman Adjust `/etc/default/container-firewalld` to your needs. To start the container: `systemctl start firewalld` To stop the container: `systemctl stop firewalld` #### manual ``` # podman run -d --rm --network host --privileged -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket -v /etc/firewalld:/etc/firewalld --name firewalld registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld:latest ``` ### De-install the files ``` # podman container runlabel uninstall registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld ``` Will remove all generated files except the configuration files. ### Environment variables: ``` DEBUG=[0|1] Enable debug mode. By default off. DBUS=[0|1] Start own dbus daemon. If not a dbus socket needs to be provided. By default disabled. ``` ## Manage firewalld instance The firewalld instance should be managed with the CLI via `podman exec` after the container has been started: ``` # podman exec firewalld firewall-cmd ... ``` Or with the `/usr/local/bin/firewall-cmd` wrapper. ## firewalld documentation The manual page for `firewalld` can be read with: ``` # podman run -it --rm registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld man firewalld ``` or for the `firewall-cmd` client: ``` # podman run -it --rm registry.opensuse.org/suse/alp/workloads/tumbleweed_images/suse/alp/workloads/firewalld man firewall-cmd ``` ## Building containers There are two ways to build a firewalld container: * [firewalld-container.kiwi](firewalld-container.kiwi) is a template for [kiwi](https://github.com/OSInside/kiwi) using the openSUSE busybox container as base container. * [Dockerfile](Dockerfile) is a template to build the image the traditional way using the openSUSE Tumbleweed base container. The result is much bigger than with busybox and the Dockerfile does not really work yet. ## Reporting bugs Please report bugs in [Bugzilla](https://bugzilla.suse.com/)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor