Project

General

Profile

Actions

action #117616

closed

action #115187: [qe-core] Prepare for ALP - Schedule Firewalld tests for ALP

[qe-core] How to start the firewalld container

Added by dvenkatachala about 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
New test
Target version:
QA (public, currently private due to #173521) - QE-Core: Ready
Start date:
2023-05-25
Due date:
2023-05-25
% Done:

0%

Estimated time:
Difficulty:
Sprint:
QE-Core: October Sprint (Sep 28 - Oct 26)

Description

Santiago and I did manual test to start the firewalld containter in a ALP. Below are the steps followed,

  1. Disable the Host's firewalld
    #systemctl stop firewalld.service

  2. Identify the firewalld workload image:
    #podman search firewalld
    registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld

  3. Start the firewalld container:
    #podman run -d --network host --privileged --name my-firewalld registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld
    This will pull (download) the image from registry.opensuse.org if the image is not already in the local cache. The --network host means the container will run in the default network namespace and thus make firewall changes affecting the entire host.

  4. To make changes to firewalld running inside the container podman exec must be used
    #podman exec my-firewalld firewall-cmd
    State: running
    No options specified
    usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page

  5. Add the port 9090 to enable the cockpit web server on ALP
    #podman exec my-firewalld firewall-cmd --add-port=9090/tcp
    You're performing an operation over default zone ('public'),
    but your connections/interfaces are in zone 'docker' (see --get-active-zones)
    You most likely need to use --zone=docker option.

    success

Note:
Shell alias for convenience
The above is a long command. It can be made more convenient with a shell alias.

#alias my-firewall-cmd='podman exec my-firewalld firewall-cmd'


Related issues 3 (0 open3 closed)

Related to openQA Tests (public) - action #124209: [qe-core] Testing of PED-2828: ISC Kea DHCP serverResolveddvenkatachala2023-05-252023-05-25

Actions
Related to ALP - coordination #125846: [epic] March Prototype testingResolved2023-03-13

Actions
Related to openQA Tests (public) - action #131189: [qe-core] Introduce firewalld container test in ALPResolvedamanzini2023-06-21

Actions
Actions #1

Updated by dvenkatachala about 2 years ago

  • Parent task set to #110092
Actions #2

Updated by dvenkatachala about 2 years ago

  • Description updated (diff)
Actions #3

Updated by dvenkatachala about 2 years ago

  • Project changed from 46 to openQA Tests (public)
Actions #4

Updated by szarate about 2 years ago

  • Sprint set to QE-Core: October Sprint (Sep 28 - Oct 26)
  • Tags set to qe-core-october-sprint
  • Subject changed from [qe-core] How to start the firewalld container to [qe-core] How to start the firewalld container
  • Category set to New test
  • Status changed from New to In Progress
  • Assignee set to dvenkatachala
  • Target version set to QE-Core: Ready
  • Parent task changed from #110092 to #115187

Dee is working atm on enabling this on ALP

Actions #5

Updated by dvenkatachala about 2 years ago

Followed the below steps to run and verify the Firewalld Container Image,

  1. To run the firewall container with the label RUN
    # podman container runlabel run registry.opensuse.org/home/kukuk/container/firewalld
    Reference : https://github.com/thkukuk/firewalld-container#manage-firewalld-instance

  2. The firewalld instance should be managed with the CLI via podman exec after the container has been started:
    # podman exec firewalld firewall-cmd

    State: running

    No options specified
    usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page

  3. Start the python HTTP server on the port 8080 in background.
    # python3 -m http.server 8080&

  4. Send a GET request from the host machine
    # curl http://localhost:8080 - Should be succesful

  5. Run the iptables command to reject traffic on port 8080
    # podman exec firewalld iptables -I INPUT -p tcp -m tcp --dport 8080 -j REJECT

    Verify the added rules with the command podman exec firewalld iptables -L

  6. Send a GET request from the host machine
    # curl http://localhost:8080 - Connection must be refused.

  7. As a clean-up , run the below command to delete the inserted rule
    # podman exec firewalld iptables -D INPUT -p tcp -m tcp --dport 8080 -j REJECT

Note:
Earlier I had tried to verify the firewalld by adding drop rule via nfttables, changes were reflected in nft table but connection was successful even after addition of drop rule on the port 8080. I will verify further and update here.

Actions #7

Updated by szarate over 1 year ago

  • Related to action #124209: [qe-core] Testing of PED-2828: ISC Kea DHCP server added
Actions #8

Updated by szarate over 1 year ago

Actions #9

Updated by dvenkatachala over 1 year ago

  • Status changed from In Progress to Resolved

I will close this ticket. We can create a new ticket if someone is taking up the automation.

Actions #10

Updated by szarate over 1 year ago

Please create the ticket :)

Actions #11

Updated by dvenkatachala over 1 year ago

  • Related to action #131189: [qe-core] Introduce firewalld container test in ALP added
Actions

Also available in: Atom PDF