I'm starting to warm up to the idea of adding firewalld in Atomic Host. If we do this, it would be a requirement to clean up the absurd default zones & policies and have something relevant for AH out of the box.
On Mon, Apr 24, 2017 at 9:13 PM, Jason DeTiberus <jdeti...@redhat.com> wrote: > > > On Sun, Apr 23, 2017 at 11:33 PM, Dusty Mabe <du...@dustymabe.com> wrote: > >> >> >> On 04/21/2017 01:42 PM, Jason DeTiberus wrote: >> > >> > While I can see firewalld improving the situation wrt documenting how >> to add/persist firewall changes for Atomic Host (especially when using >> moby/docker), I think there is a bigger concern with firewalld being >> absent. If a user is running multiple applications that modify the host >> firewall (docker, Kubernetes, OpenShift, etc), firewalld provides a way to >> make firewall modifications in a consistent and repeatable manner, where >> iptables does not. There is the --wait flag for iptables, however any >> applications/users that are interacting with iptables will need to ensure >> they use it consistently. >> > >> >> So you are saying firewalld makes your life easier if it was >> available? >> > > Correct, The iptables-based management that is done in openshift-ansible > has always been a hack that was only meant to be a stopgap until firewalld > was fully supported up and down the entire stack. There are way too many > edge cases that could cause issues with the create/save/restore process. We > tried to limit those by using a dedicated chain for openshift-ansible > rules, but having another process modify rules without using '-w' or other > modifications to the firewall could inadvertently be persisted with the > iptables-save. > > As mentioned in another reply on the thread, layered packages would allow > for firewalld to be used today, but the restart requirement adds another > level of complexity that adds the potential for non-determinism to the > OpenShift install process. Having both iptables and firewalld available in > the base would allow for parity between AH-based and non-AH-based installs. > > -- > Jason DeTiberus > -- Ben Breard Sr Technology Product Manager - Linux Containers Mobile: 972-816-9081
