Request 847328 (accepted)

Overview

Request 847328 accepted

- Remove the patch which enforces usage of iptables instead of
nftables:
* 0001-firewall-backend-Switch-default-backend-to-iptables.patch
- Add firewalld zone for the docker0 interface. This is the
workaround for lack of nftables support in docker. Without that
additional zone, containers have no Internet connectivity.
(rhbz#1817022)
- Update to 0.9.1:
* Bugfixes:
* docs(firewall-cmd): clarify lockdown whitelist command paths
* fix(dbus): getActivePolicies shouldn't return a policy if a zone is not active
* fix(policy): zone interface/source changes should affect all using zone (forwarded request 847325 from mrostecki)

Created by mrostecki over 3 years ago
In state accepted

Submit firewalld

Comments for request 847328 9

Michał Rostecki (mrostecki) - over 3 years ago

author source maintainer

This change will break OpenQA tests, but the following PR should fix them:

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/11367

@dimstar: I'm not sure what should be accepted first - this SR or the PR on github?

Fabian Vogt (Vogtinator) - over 3 years ago

The openQA test should detect whether it has to use nftables or iptables, at least for the time being. Otherwise it would either break in Staging or for openSUSE:Factory.

Michał Rostecki (mrostecki) - over 3 years ago

author source maintainer

See my PR - currently firewalld tests explicitly expect iptables rules to exist and I'm pretty sure lines like this one are going to fail after switching the backend to nftables:

https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/console/firewalld.pm#L46

Dominique Leuenberger (dimstar) - over 3 years ago

reviewer

Thanks for the heads-up;

Not the 'easiest' way forward with a test working either/or - but we'll manage to deal with it (assuming the test change really works).

I envision something like this:

Build Staging with new firewalld
Let it run with the currently merged code -> fail (but openSUSE:Factory still working)
Clone the job with the PR as test repo -> should succeed (for staging ok, the 'latest' test counts)
Checkin firewalld to openSUSE:Factory
merge the PR
Rebase all not-yet accepted stagings, so they all have the right firewalld version matching the new test code

Dominique Leuenberger (dimstar) - over 3 years ago

reviewer

openQA (after merge) looks bad here.

There is the expected 'firewalld' test failing (for which we have a PR; ok then)
docker-compose: failure to connect to a local container (https://openqa.opensuse.org/tests/1470965#step/docker_compose/48)

is the 2nd one fixable without reverting to iptables?

Dominique Leuenberger (dimstar) - over 3 years ago

reviewer

Another test failure: yast2_ftp test assumes iptables:

https://progress.opensuse.org/issues/77896

Michał Rostecki (mrostecki) - over 3 years ago

author source maintainer

OK, I will fix it on Monday.

Michał Rostecki (mrostecki) - over 3 years ago

author source maintainer

The docker-compose test can be fixed by backporting this PR to our docker package:

https://github.com/moby/libnetwork/pull/2548