action #117616
closedaction #115187: [qe-core] Prepare for ALP - Schedule Firewalld tests for ALP
[qe-core] How to start the firewalld container
0%
Description
Santiago and I did manual test to start the firewalld containter in a ALP. Below are the steps followed,
-
Disable the Host's firewalld
#systemctl stop firewalld.service -
Identify the firewalld workload image:
#podman search firewalld
registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld -
Start the firewalld container:
#podman run -d --network host --privileged --name my-firewalld registry.opensuse.org/suse/alp/workloads/tumbleweed_containerfiles/suse/alp/workloads/firewalld
This will pull (download) the image from registry.opensuse.org if the image is not already in the local cache. The --network host means the container will run in the default network namespace and thus make firewall changes affecting the entire host. -
To make changes to firewalld running inside the container podman exec must be used
#podman exec my-firewalld firewall-cmd
State: running
No options specified
usage: 'firewall-cmd --help' for usage information or see firewall-cmd(1) man page -
Add the port 9090 to enable the cockpit web server on ALP
#podman exec my-firewalld firewall-cmd --add-port=9090/tcp
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.success
Note:
Shell alias for convenience
The above is a long command. It can be made more convenient with a shell alias.
#alias my-firewall-cmd='podman exec my-firewalld firewall-cmd'