On Tue, Apr 25, 2017 at 5:42 AM, Ben Breard <bbre...@redhat.com> wrote: > I'm starting to warm up to the idea of adding firewalld in Atomic Host. If > we do this, it would be a requirement to clean up the absurd default zones & > policies and have something relevant for AH out of the box.
+1 for AH, and to play nice with OCP/Kube by default - if used in that use-case. - fabian > On Mon, Apr 24, 2017 at 9:13 PM, Jason DeTiberus <jdeti...@redhat.com> > wrote: >> >> >> >> On Sun, Apr 23, 2017 at 11:33 PM, Dusty Mabe <du...@dustymabe.com> wrote: >>> >>> >>> >>> On 04/21/2017 01:42 PM, Jason DeTiberus wrote: >>> > >>> > While I can see firewalld improving the situation wrt documenting how >>> > to add/persist firewall changes for Atomic Host (especially when using >>> > moby/docker), I think there is a bigger concern with firewalld being >>> > absent. >>> > If a user is running multiple applications that modify the host firewall >>> > (docker, Kubernetes, OpenShift, etc), firewalld provides a way to make >>> > firewall modifications in a consistent and repeatable manner, where >>> > iptables >>> > does not. There is the --wait flag for iptables, however any >>> > applications/users that are interacting with iptables will need to ensure >>> > they use it consistently. >>> > >>> >>> So you are saying firewalld makes your life easier if it was >>> available? >> >> >> Correct, The iptables-based management that is done in openshift-ansible >> has always been a hack that was only meant to be a stopgap until firewalld >> was fully supported up and down the entire stack. There are way too many >> edge cases that could cause issues with the create/save/restore process. We >> tried to limit those by using a dedicated chain for openshift-ansible rules, >> but having another process modify rules without using '-w' or other >> modifications to the firewall could inadvertently be persisted with the >> iptables-save. >> >> As mentioned in another reply on the thread, layered packages would allow >> for firewalld to be used today, but the restart requirement adds another >> level of complexity that adds the potential for non-determinism to the >> OpenShift install process. Having both iptables and firewalld available in >> the base would allow for parity between AH-based and non-AH-based installs. >> >> -- >> Jason DeTiberus > > > > > -- > > Ben Breard > Sr Technology Product Manager - Linux Containers > Mobile: 972-816-9081
