scottk/coreos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/coreos.git synced 2025-11-01 18:37:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: use upstream netavark-firewalld-reload instead of home grown tool (#116)

Browse Source
This commit is contained in:
Benjamin Sherman
2024-01-17 15:34:55 -06:00
committed by GitHub
parent 1a049499e6
commit 2ca8ada051
3 changed files with 1 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -98,7 +98,7 @@ NOTE: CoreOS [cautions against](https://docs.fedoraproject.org/en-US/fedora-core
Podman and firewalld [can sometimes conflict](https://github.com/ublue-os/ucore/issues/90) such that a `firewall-cmd --reload` removes firewall rules generated by podman.
A service is included to mitigate this by monitoring for firewall reload events on dbus and then reloading podman networks. If needed, enable like so: `systemctl enable --now podman-firewalld-reload.service`
As of [netavark v1.9.0](https://blog.podman.io/2023/11/new-netavark-firewalld-reload-service/) a service is provided to handle re-adding netavark (Podman) firewall rules after a firewalld reload occurs. If needed, enable like so: `systemctl enable netavark-firewalld-reload.service`
### Distrobox

1
ucore/packages.json
View File

@@ -7,7 +7,6 @@
"cockpit-selinux",
"cockpit-storaged",
"cockpit-system",
"dbus-tools",
"distrobox",
"duperemove",
"firewalld",

16
ucore/usr/lib/systemd/system/podman-firewalld-reload.service
View File

@@ -1,16 +0,0 @@
#
# From: https://github.com/containers/podman/issues/5431#issuecomment-1022121559
#
[Unit]
Description=Redo podman NAT rules after firewalld starts or reloads
Wants=dbus.service
After=dbus.service
[Service]
Type=simple
Environment=LC_CTYPE=C.utf8
ExecStart=/bin/bash -c "dbus-monitor --profile --system 'type=signal,sender=org.freedesktop.DBus,path=/org/freedesktop/DBus,interface=org.freedesktop.DBus,member=NameAcquired,arg0=org.fedoraproject.FirewallD1' 'type=signal,path=/org/fedoraproject/FirewallD1,interface=org.fedoraproject.FirewallD1,member=Reloaded' | sed -u '/^#/d' | while read -r type timestamp serial sender destination path interface member _junk; do if [[ $type = '#'* ]]; then continue; elif [[ $interface = org.freedesktop.DBus && $member = NameAcquired ]]; then echo 'firewalld started'; podman network reload --all; elif [[ $interface = org.fedoraproject.FirewallD1 && $member = Reloaded ]]; then echo 'firewalld reloaded'; podman network reload --all; fi; done"
Restart=always
[Install]
WantedBy=multi-user.target