action #117616
closedaction #115187: [qe-core] Prepare for ALP - Schedule Firewalld tests for ALP
[qe-core] How to start the firewalld container
0%
Description
Santiago and I did manual test to start the firewalld containter in a ALP. Below are the steps followed,
Disable the Host's firewalld
#systemctl stop firewalld.serviceIdentify the firewalld workload image:
#podman search firewalld
registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalldStart the firewalld container:
#podman run -d --network host --privileged --name my-firewalld registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld
This will pull (download) the image from registry.opensuse.org if the image is not already in the local cache. The --network host means the container will run in the default network namespace and thus make firewall changes affecting the entire host.To make changes to firewalld running inside the container podman exec must be used
#podman exec my-firewalld firewall-cmd
State: running
No options specified
usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man pageAdd the port 9090 to enable the cockpit web server on ALP
#podman exec my-firewalld firewall-cmd --add-port=9090/tcp
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.success
Note:
Shell alias for convenience
The above is a long command. It can be made more convenient with a shell alias.
#alias my-firewall-cmd='podman exec my-firewalld firewall-cmd'
Updated by dvenkatachala about 2 years ago
- Project changed from 46 to openQA Tests (public)
Updated by szarate about 2 years ago
- Sprint set to QE-Core: October Sprint (Sep 28 - Oct 26)
- Tags set to qe-core-october-sprint
- Subject changed from [qe-core] How to start the firewalld container to [qe-core] How to start the firewalld container
- Category set to New test
- Status changed from New to In Progress
- Assignee set to dvenkatachala
- Target version set to QE-Core: Ready
- Parent task changed from #110092 to #115187
Dee is working atm on enabling this on ALP
Updated by dvenkatachala about 2 years ago
Followed the below steps to run and verify the Firewalld Container Image,
To run the firewall container with the label RUN
# podman container runlabel run registry.opensuse.org/home/kukuk/container/firewalld
Reference : https://github.com/thkukuk/firewalld-container#manage-firewalld-instanceThe firewalld instance should be managed with the CLI via podman exec after the container has been started:
# podman exec firewalld firewall-cmd
State: runningNo options specified
usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man pageStart the python HTTP server on the port 8080 in background.
# python3 -m http.server 8080&Send a GET request from the host machine
# curl http://localhost:8080 - Should be succesfulRun the iptables command to reject traffic on port 8080
# podman exec firewalld iptables -I INPUT -p tcp -m tcp --dport 8080 -j REJECTVerify the added rules with the command
podman exec firewalld iptables -L
Send a GET request from the host machine
# curl http://localhost:8080 - Connection must be refused.As a clean-up , run the below command to delete the inserted rule
# podman exec firewalld iptables -D INPUT -p tcp -m tcp --dport 8080 -j REJECT
Note:
Earlier I had tried to verify the firewalld by adding drop rule via nfttables, changes were reflected in nft table but connection was successful even after addition of drop rule on the port 8080. I will verify further and update here.
Updated by szarate almost 2 years ago
Updated by szarate over 1 year ago
- Related to action #124209: [qe-core] Testing of PED-2828: ISC Kea DHCP server added
Updated by szarate over 1 year ago
- Related to coordination #125846: [epic] March Prototype testing added
Updated by dvenkatachala over 1 year ago
- Status changed from In Progress to Resolved
I will close this ticket. We can create a new ticket if someone is taking up the automation.
Updated by dvenkatachala over 1 year ago
- Related to action #131189: [qe-core] Introduce firewalld container test in ALP added