From fa60cec42a9596e925abe0cc0d821a4360142ef7 Mon Sep 17 00:00:00 2001 From: danishprakash Date: Wed, 4 Oct 2023 14:29:53 +0530 Subject: [PATCH 1/2] contrib: add firewall reload services Signed-off-by: danishprakash --- Makefile | 8 +++- .../system/podman-firewalld-reload.service.in | 11 ++++++ .../podman-firewalld-restart.service.in | 12 ++++++ test/system/250-systemd.bats | 37 +++++++++++++++++++ test/system/helpers.systemd.bash | 16 ++++++++ 5 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 contrib/systemd/system/podman-firewalld-reload.service.in create mode 100644 contrib/systemd/system/podman-firewalld-restart.service.in diff --git a/Makefile b/Makefile index 6ed73991c7e4..d1091e64b40c 100644 --- a/Makefile +++ b/Makefile @@ -887,7 +887,9 @@ PODMAN_UNIT_FILES = contrib/systemd/auto-update/podman-auto-update.service \ contrib/systemd/system/podman.service \ contrib/systemd/system/podman-restart.service \ contrib/systemd/system/podman-kube@.service \ - contrib/systemd/system/podman-clean-transient.service + contrib/systemd/system/podman-clean-transient.service \ + contrib/systemd/system/podman-firewalld-reload.service.in \ + contrib/systemd/system/podman-firewalld-restart.service.in %.service: %.service.in sed -e 's;@@PODMAN@@;$(BINDIR)/podman;g' $< >$@.tmp.$$ \ @@ -902,6 +904,8 @@ install.systemd: $(PODMAN_UNIT_FILES) install ${SELINUXOPT} -m 644 contrib/systemd/system/podman.service ${DESTDIR}${USERSYSTEMDDIR}/podman.service install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-restart.service ${DESTDIR}${USERSYSTEMDDIR}/podman-restart.service install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-kube@.service ${DESTDIR}${USERSYSTEMDDIR}/podman-kube@.service + install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-firewalld-reload.service ${DESTDIR}${USERSYSTEMDDIR}/podman-firewalld-reload.service + install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-firewalld-restart.service ${DESTDIR}${USERSYSTEMDDIR}/podman-firewalld-restart.service # System services install ${SELINUXOPT} -m 644 contrib/systemd/auto-update/podman-auto-update.service ${DESTDIR}${SYSTEMDDIR}/podman-auto-update.service install ${SELINUXOPT} -m 644 contrib/systemd/auto-update/podman-auto-update.timer ${DESTDIR}${SYSTEMDDIR}/podman-auto-update.timer @@ -910,6 +914,8 @@ install.systemd: $(PODMAN_UNIT_FILES) install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-restart.service ${DESTDIR}${SYSTEMDDIR}/podman-restart.service install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-kube@.service ${DESTDIR}${SYSTEMDDIR}/podman-kube@.service install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-clean-transient.service ${DESTDIR}${SYSTEMDDIR}/podman-clean-transient.service + install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-firewalld-reload.service ${DESTDIR}${SYSTEMDDIR}/podman-firewalld-reload.service + install ${SELINUXOPT} -m 644 contrib/systemd/system/podman-firewalld-restart.service ${DESTDIR}${SYSTEMDDIR}/podman-firewalld-restart.service rm -f $(PODMAN_UNIT_FILES) else install.systemd: diff --git a/contrib/systemd/system/podman-firewalld-reload.service.in b/contrib/systemd/system/podman-firewalld-reload.service.in new file mode 100644 index 000000000000..771fec2ee1d7 --- /dev/null +++ b/contrib/systemd/system/podman-firewalld-reload.service.in @@ -0,0 +1,11 @@ +[Unit] +Description=firewalld reload hook - run a hook script on firewalld reload +Wants=dbus.service +After=dbus.service + +[Service] +Type=simple +ExecStart=/usr/bin/bash -c '/usr/bin/busctl monitor --system --match "interface=org.fedoraproject.FirewallD1,member=Reloaded" --match "interface=org.fedoraproject.FirewallD1,member=PropertiesChanged" | while read -r line ; do @@PODMAN@@ network reload --all ; done' + +[Install] +WantedBy=multi-user.target diff --git a/contrib/systemd/system/podman-firewalld-restart.service.in b/contrib/systemd/system/podman-firewalld-restart.service.in new file mode 100644 index 000000000000..5525b4de27fc --- /dev/null +++ b/contrib/systemd/system/podman-firewalld-restart.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=Redo podman NAT rules after firewalld starts or reloads +Wants=dbus.service +After=dbus.service + +[Service] +Type=simple +ExecStart=/usr/bin/bash -c '/usr/bin/dbus-monitor --profile --system "type=signal,sender=org.freedesktop.DBus,path=/org/freedesktop/DBus,interface=org.freedesktop.DBus,member=NameAcquired,arg0=org.fedoraproject.FirewallD1" "type=signal,path=/org/fedoraproject/FirewallD1,interface=org.fedoraproject.FirewallD1,member=Reloaded" | sed -u "/^#/d" | while read -r type timestamp serial sender destination path interface member _junk; do if [[ $type = "#"* ]]; then continue; elif [[ $interface = org.freedesktop.DBus && $member = NameAcquired ]]; then echo "firewalld started"; @@PODMAN@@ network reload --all; elif [[ $interface = org.fedoraproject.FirewallD1 && $member = Reloaded ]]; then echo "firewalld reloaded"; @@PODMAN@@ network reload --all; fi; done' +Restart=Always + +[Install] +WantedBy=default.target diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats index 87c3cfe3cfb6..6d3766a36877 100644 --- a/test/system/250-systemd.bats +++ b/test/system/250-systemd.bats @@ -479,4 +479,41 @@ $name stderr" "logs work with passthrough" run_podman generate --help is "$output" ".*\[DEPRECATED\] Generate systemd units" } + +@test "podman network reload on firewall-cmd --reload" { + setup_firewalld_services + + systemctl daemon-reload + + reload_service="podman-firewalld-reload.service" + systemctl start $reload_service + systemctl is-active $reload_service + + restart_service="podman-firewalld-restart.service" + systemctl start $restart_service + systemctl is-active $restart_service + + cname="testctr" + run_podman run -d --rm --name $cname fedora:latest sleep 10d + + # reload firewalld + firewall-cmd --reload + + # ensure the rules are present + fout=$(run firewall-cmd --zone=trusted --list-all | grep "sources") + assert "$fout" != " sources: " # non-empty + + # restart firewalld service + systemctl restart firewalld.service + + # ensure the rules are still present + fout=$(run firewall-cmd --zone=trusted --list-all | grep "sources") + assert "$fout" != " sources: " # non-empty + + run_podman kill $cname + run_podman rm $cname + + systemctl stop $reload_service + systemctl stop $restart_service +} # vim: filetype=sh diff --git a/test/system/helpers.systemd.bash b/test/system/helpers.systemd.bash index 91173115e6d6..bdb73742abf3 100644 --- a/test/system/helpers.systemd.bash +++ b/test/system/helpers.systemd.bash @@ -63,3 +63,19 @@ quadlet_to_service_name() { echo "$filename$suffix.service" } + +setup_firewalld_services() { + unit_names=("podman-firewalld-reload.service" "podman-firewalld-restart.service") + + for unit_name in "${unit_names[@]}"; do + unit_file="contrib/systemd/system/${unit_name}" + + if [[ -e $unit_file.in ]]; then + echo "# [Building & using $unit_name from source]" >&3 + # Force regenerating unit file (existing one may have /usr/bin path) + rm -f "$unit_file" + BINDIR=$(dirname "$PODMAN") make "$unit_file" + cp "$unit_file" "$UNIT_DIR/$unit_name" + fi + done +} From 139092933644660d39f0575136256be3d08cd54e Mon Sep 17 00:00:00 2001 From: Danish Prakash Date: Wed, 4 Oct 2023 16:35:16 +0530 Subject: [PATCH 2/2] Update Makefile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Dan Čermák <45594031+dcermak@users.noreply.github.com> Signed-off-by: Danish Prakash --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d1091e64b40c..433905980250 100644 --- a/Makefile +++ b/Makefile @@ -888,8 +888,8 @@ PODMAN_UNIT_FILES = contrib/systemd/auto-update/podman-auto-update.service \ contrib/systemd/system/podman-restart.service \ contrib/systemd/system/podman-kube@.service \ contrib/systemd/system/podman-clean-transient.service \ - contrib/systemd/system/podman-firewalld-reload.service.in \ - contrib/systemd/system/podman-firewalld-restart.service.in + contrib/systemd/system/podman-firewalld-reload.service \ + contrib/systemd/system/podman-firewalld-restart.service %.service: %.service.in sed -e 's;@@PODMAN@@;$(BINDIR)/podman;g' $< >$@.tmp.$$ \