Overview
Request 847328 accepted
- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone (forwarded request 847325 from mrostecki)
Request History
mrostecki created request
- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone (forwarded request 847325 from mrostecki)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
dimstar_suse set openSUSE:Factory:Staging:E as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:E"
dimstar_suse accepted review
Picked "openSUSE:Factory:Staging:E"
dimstar accepted review
dimstar_suse accepted review
Staging Project openSUSE:Factory:Staging:E got accepted.
dimstar_suse approved review
Staging Project openSUSE:Factory:Staging:E got accepted.
dimstar_suse accepted request
Staging Project openSUSE:Factory:Staging:E got accepted.
This change will break OpenQA tests, but the following PR should fix them:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/11367
@dimstar: I'm not sure what should be accepted first - this SR or the PR on github?
The openQA test should detect whether it has to use nftables or iptables, at least for the time being. Otherwise it would either break in Staging or for openSUSE:Factory.
See my PR - currently firewalld tests explicitly expect iptables rules to exist and I'm pretty sure lines like this one are going to fail after switching the backend to nftables:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/console/firewalld.pm#L46
Thanks for the heads-up;
Not the 'easiest' way forward with a test working either/or - but we'll manage to deal with it (assuming the test change really works).
I envision something like this:
openQA (after merge) looks bad here.
is the 2nd one fixable without reverting to iptables?
Another test failure: yast2_ftp test assumes iptables:
https://progress.opensuse.org/issues/77896
OK, I will fix it on Monday.
The docker-compose test can be fixed by backporting this PR to our docker package:
https://github.com/moby/libnetwork/pull/2548
I already started doing it. After testing it properly, I will submit a SR to docker, hopefully on Monday.
Fix for docker-compose:
https://build.opensuse.org/request/show/848861
https://build.opensuse.org/request/show/848862