-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handling firewalld reload #230
Comments
I know this is something we discussed when putting netavark together. It is on our list of things to look at for certain. @mheon PTAL |
Also, it is interesting why |
@mskarbek Please see containers/podman#5431 |
@Luap99 that is why I pointed at d-bus signal. |
Listener is definitely the answer, but the question then becomes: where do we put it? We can't put it in Netavark; Netavark exits immediately after the network is configured. We can't put it in Aardvark; Aardvark spins down when no containers are using it, and some networks (notably the default one!) don't use it. Conmon seems like it could be logical, but we'd only want one Conmon process to fire the reload command, and we have 1 conmon per container. Conmon's Rust rewrite offers a potential opportunity to add enough intelligence that this could be viable? We could also write a super-minimal binary with an associated systemd service that would always be running and listening. |
@mheon Well we could also call |
This is because @mheon was using their new dbus interface and it was/is not complete yet, so we had to follow what was done in the past with CNI -- to use both. The intent is to back out the iptables stuff for firewalld as soon as the dbus code is complete ... AND ...into distributions. |
Yeah - firewalld is disabled until the v1.1.0 upstream release, due to a few missing features that have been added, but have not yet made it into a release. Once that happens we can reenable the firewalld backend conditional on firewalld v1.1.0 or higher being available. |
@Luap99 Thinking about that more - downside is that we get 1 |
Any update on this? |
We can discuss this further at the F2F - basically, we need to locate a dbus listener somewhere in our code, but Netavark doesn't have a daemon to host one, so we either put it in Aardvark, or potentially Conmon-rs. |
Using: Is netavark currently supposed to work with firewalld ? I see this comment in the code while firewalld 1.2.1 is out. |
@SecT0uch Please create a new issue or discussion, this is not related to the issue. |
This was fixed in #840, in netavark v1.9. See https://blog.podman.io/2023/11/new-netavark-firewalld-reload-service/ for info on how to use it. |
Now we only need quickly propagate 1.9 to the RHEL. ;) |
I would assume it will be part of 9.4/8.10 in ~6 months. |
Any ideas whether it can support |
What exactly do you mean? Using the nftables firewall driver in netavark? In this case yes. If you mean when you flush your nftables ruleset then no the service is only setup to listen on the firewalld event. |
I was referring to the flush issue yes. Thanks, will look into that. |
Create a container with
--publish=80:80
. You will get a set of chains/rules innft
ip nat
andip filter
tables which are, obviously, separate from firewalld tables. Issuefirewall-cmd --reload
and you have lost all communication with that container. Stopping container results with:Is there a way to track
nft
chains and fix them during container lifetime that can be incorporated intonetavark
?Versions:
Used repo: COPR rhcontainerbot/podman4
The text was updated successfully, but these errors were encountered: