-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contrib: add firewall reload services #20249
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
[Unit] | ||
Description=firewalld reload hook - run a hook script on firewalld reload | ||
Wants=dbus.service | ||
After=dbus.service | ||
|
||
[Service] | ||
Type=simple | ||
ExecStart=/usr/bin/bash -c '/usr/bin/busctl monitor --system --match "interface=org.fedoraproject.FirewallD1,member=Reloaded" --match "interface=org.fedoraproject.FirewallD1,member=PropertiesChanged" | while read -r line ; do @@PODMAN@@ network reload --all ; done' | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
[Unit] | ||
Description=Redo podman NAT rules after firewalld starts or reloads | ||
Wants=dbus.service | ||
After=dbus.service | ||
|
||
[Service] | ||
Type=simple | ||
ExecStart=/usr/bin/bash -c '/usr/bin/dbus-monitor --profile --system "type=signal,sender=org.freedesktop.DBus,path=/org/freedesktop/DBus,interface=org.freedesktop.DBus,member=NameAcquired,arg0=org.fedoraproject.FirewallD1" "type=signal,path=/org/fedoraproject/FirewallD1,interface=org.fedoraproject.FirewallD1,member=Reloaded" | sed -u "/^#/d" | while read -r type timestamp serial sender destination path interface member _junk; do if [[ $type = "#"* ]]; then continue; elif [[ $interface = org.freedesktop.DBus && $member = NameAcquired ]]; then echo "firewalld started"; @@PODMAN@@ network reload --all; elif [[ $interface = org.fedoraproject.FirewallD1 && $member = Reloaded ]]; then echo "firewalld reloaded"; @@PODMAN@@ network reload --all; fi; done' | ||
Restart=Always | ||
|
||
[Install] | ||
WantedBy=default.target |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -479,4 +479,41 @@ $name stderr" "logs work with passthrough" | |
run_podman generate --help | ||
is "$output" ".*\[DEPRECATED\] Generate systemd units" | ||
} | ||
|
||
@test "podman network reload on firewall-cmd --reload" { | ||
setup_firewalld_services | ||
Comment on lines
+483
to
+484
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This test must be skipped as rootless and when firewalld is not installed or not active. But in general I am not sure we really want to test this in systems test, reloading the firewalld could have negative consequences for other applications as well outside of the tests. Given the high amount of different environments these tests are run I don't think it is a good idea to do it. |
||
|
||
systemctl daemon-reload | ||
|
||
reload_service="podman-firewalld-reload.service" | ||
systemctl start $reload_service | ||
systemctl is-active $reload_service | ||
|
||
restart_service="podman-firewalld-restart.service" | ||
systemctl start $restart_service | ||
systemctl is-active $restart_service | ||
|
||
cname="testctr" | ||
run_podman run -d --rm --name $cname fedora:latest sleep 10d | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please don't use |
||
|
||
# reload firewalld | ||
firewall-cmd --reload | ||
|
||
# ensure the rules are present | ||
fout=$(run firewall-cmd --zone=trusted --list-all | grep "sources") | ||
assert "$fout" != " sources: " # non-empty | ||
|
||
# restart firewalld service | ||
systemctl restart firewalld.service | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This seems unlikely to work rootless...? |
||
|
||
# ensure the rules are still present | ||
fout=$(run firewall-cmd --zone=trusted --list-all | grep "sources") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
assert "$fout" != " sources: " # non-empty | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ...therefore this assertion is a NOP.
Comment on lines
+500
to
+511
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is just asking for flakes, there is no guarantee that by the time you check the network reload command was already run. |
||
|
||
run_podman kill $cname | ||
run_podman rm $cname | ||
|
||
systemctl stop $reload_service | ||
systemctl stop $restart_service | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm not seeing a cleanup of the unit files... |
||
} | ||
# vim: filetype=sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the purpose of the
read -r line
, if$line
is never used?