Add firewalld configuration back, required for podman networking

Azure · Aug 9, 2024 · 36529ee · 36529ee
1 parent 6f8be54
commit 36529ee
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 26 deletions.
diff --git a/pkg/deploy/assets/gateway-production.json b/pkg/deploy/assets/gateway-production.json
diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
diff --git a/pkg/deploy/generator/scripts/gatewayVMSS.sh b/pkg/deploy/generator/scripts/gatewayVMSS.sh
@@ -4,10 +4,6 @@ set -o errexit \
     -o pipefail \
     -o nounset
 
-if [ "${DEBUG:-false}" == true ]; then
-    set -x
-fi
-
 main() {
     # transaction attempt retry time in seconds
     # shellcheck disable=SC2034
@@ -43,6 +39,8 @@ main() {
         openssl-perl
         # hack - we are installing python3 on hosts due to an issue with Azure Linux Extensions https://github.com/Azure/azure-linux-extensions/pull/1505
         python3
+        # required for podman networking
+        firewalld
     )
 
     dnf_install_pkgs install_pkgs \
@@ -77,6 +75,19 @@ main() {
     )
     create_podman_networks networks
 
+    # shellcheck disable=SC2034
+    local -ra enable_ports=(
+        # RP gateway
+        "80/tcp"
+        "8081/tcp"
+        "443/tcp"
+        # JIT ssh
+        "22/tcp"
+    )
+
+    firewalld_configure enable_ports
+
+
     # shellcheck disable=SC2034
     local -r fluentbit_conf_file="[INPUT]
 Name systemd
@@ -130,6 +141,7 @@ RPIMAGE='$rpimage'"
         "fluentbit"
         "download-mdsd-credentials.timer"
         "download-mdm-credentials.timer"
+        "firewalld"
     )
 
     enable_services gateway_services

diff --git a/pkg/deploy/generator/scripts/rpVMSS.sh b/pkg/deploy/generator/scripts/rpVMSS.sh
@@ -4,10 +4,6 @@ set -o errexit \
     -o pipefail \
     -o nounset
 
-if [ "${DEBUG:-false}" == true ]; then
-    set -x
-fi
-
 main() {
     # transaction attempt retry time in seconds
     # shellcheck disable=SC2034
@@ -42,6 +38,8 @@ main() {
         openssl-perl
         # hack - we are installing python3 on hosts due to an issue with Azure Linux Extensions https://github.com/Azure/azure-linux-extensions/pull/1505
         python3
+        # required for podman networking
+        firewalld
     )
 
     dnf_install_pkgs install_pkgs \
@@ -74,6 +72,20 @@ main() {
     )
     create_podman_networks networks
 
+    # shellcheck disable=SC2034
+    local -ra enable_ports=(
+        # RP frontend
+        "443/tcp"
+        # Portal web
+        "444/tcp"
+        # Portal ssh
+        "2222/tcp"
+        # JIT ssh
+        "22/tcp"
+    )
+
+    firewalld_configure enable_ports
+
     # LOGKIND appears to no longer be a variable that is carried over by the deploy pipeline
     # Substituting it with an empty string
     # shellcheck disable=SC2034
@@ -168,6 +180,7 @@ OIDC_STORAGE_ACCOUNT_NAME='$OIDCSTORAGEACCOUNTNAME'
         "fluentbit"
         "download-mdsd-credentials.timer"
         "download-mdm-credentials.timer"
+        "firewalld"
     )
 
     enable_services aro_services

diff --git a/pkg/deploy/generator/scripts/util-services.sh b/pkg/deploy/generator/scripts/util-services.sh
@@ -48,8 +48,8 @@ Wants=network-online.target
 
 [Service]
 EnvironmentFile=${aro_gateway_conf_filename}
-ExecStartPre=-/usr/bin/docker rm -f %N
-ExecStart=/usr/bin/docker run \
+ExecStartPre=-/usr/bin/podman rm -f %N
+ExecStart=/usr/bin/podman run \
   --hostname %H \
   --name %N \
   --rm \
@@ -69,7 +69,7 @@ ExecStart=/usr/bin/docker run \
   -v /var/etw:/var/etw:z \
   $image \
   ${role,,}
-ExecStop=/usr/bin/docker stop -t 3600 %N
+ExecStop=/usr/bin/podman stop -t 3600 %N
 TimeoutStopSec=3600
 Restart=always
 RestartSec=1
@@ -109,8 +109,8 @@ Wants=network-online.target
 
 [Service]
 EnvironmentFile=${aro_rp_conf_filename}
-ExecStartPre=-/usr/bin/docker rm -f %N
-ExecStart=/usr/bin/docker run \
+ExecStartPre=-/usr/bin/podman rm -f %N
+ExecStart=/usr/bin/podman run \
   --hostname %H \
   --name %N \
   --rm \
@@ -147,7 +147,7 @@ ExecStart=/usr/bin/docker run \
   -v /var/etw:/var/etw:z \
   $image \
   ${role,,}
-ExecStop=/usr/bin/docker stop -t 3600 %N
+ExecStop=/usr/bin/podman stop -t 3600 %N
 TimeoutStopSec=3600
 Restart=always
 RestartSec=1
@@ -201,8 +201,8 @@ Wants=network-online.target
 
 [Service]
 EnvironmentFile=/etc/sysconfig/aro-monitor
-ExecStartPre=-/usr/bin/docker rm -f %N
-ExecStart=/usr/bin/docker run \
+ExecStartPre=-/usr/bin/podman rm -f %N
+ExecStart=/usr/bin/podman run \
   --hostname %H \
   --name %N \
   --rm \
@@ -272,8 +272,8 @@ StartLimitInterval=0
 
 [Service]
 EnvironmentFile=/etc/sysconfig/aro-portal
-ExecStartPre=-/usr/bin/docker rm -f %N
-ExecStart=/usr/bin/docker run \
+ExecStartPre=-/usr/bin/podman rm -f %N
+ExecStart=/usr/bin/podman run \
   --hostname %H \
   --name %N \
   --rm \
@@ -389,8 +389,8 @@ StartLimitIntervalSec=0
 [Service]
 RestartSec=1s
 EnvironmentFile=/etc/sysconfig/fluentbit
-ExecStartPre=-/usr/bin/docker rm -f %N
-ExecStart=/usr/bin/docker run \
+ExecStartPre=-/usr/bin/podman rm -f %N
+ExecStart=/usr/bin/podman run \
   --security-opt label=disable \
   --entrypoint /opt/td-agent-bit/bin/td-agent-bit \
   --net=host \
@@ -406,7 +406,7 @@ ExecStart=/usr/bin/docker run \
   $image \
   -c /etc/fluentbit/fluentbit.conf
 
-ExecStop=/usr/bin/docker stop %N
+ExecStop=/usr/bin/podman stop %N
 Restart=always
 RestartSec=5
 StartLimitInterval=0
@@ -608,8 +608,8 @@ Wants=network-online.target
 
 [Service]
 EnvironmentFile=/etc/sysconfig/mdm
-ExecStartPre=-/usr/bin/docker rm -f %N
-ExecStart=/usr/bin/docker run \
+ExecStartPre=-/usr/bin/podman rm -f %N
+ExecStart=/usr/bin/podman run \
   --entrypoint /usr/sbin/MetricsExtension \
   --hostname %H \
   --name %N \
@@ -628,7 +628,7 @@ ExecStart=/usr/bin/docker run \
   -SourceEnvironment $LOCATION \
   -SourceRole $role \
   -SourceRoleInstance $HOSTNAME
-ExecStop=/usr/bin/docker stop %N
+ExecStop=/usr/bin/podman stop %N
 Restart=always
 RestartSec=1
 StartLimitInterval=0

diff --git a/pkg/deploy/generator/scripts/util-system.sh b/pkg/deploy/generator/scripts/util-system.sh
@@ -261,3 +261,40 @@ create_podman_networks() {
             "$n"
     done
 }
+
+# firewalld_configure_backend
+firewalld_configure_backend() {
+    log "starting"
+
+    log "Changing firewalld backend to iptables"
+    conf_file="/etc/firewalld/firewalld.conf"
+    sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/g' "$conf_file"
+}
+
+# firewalld_configure
+# args:
+# 1) ports - nameref, string array; ports to be enabled.
+#       Ports must be postfixed with /tcp or /udp
+firewalld_configure() {
+    local -n ports="$1"
+    log "starting"
+
+    firewalld_configure_backend
+
+    # shellcheck disable=SC2034
+    local -ra service=(
+        "firewalld"
+    )
+    enable_services service
+
+    log "Enabling ports ${ports[*]} on default firewalld zone"
+    # shellcheck disable=SC2068
+    for port in ${ports[@]}; do
+        log "Enabling port $port now"
+        firewall-cmd "--add-port=$port" \
+                     --permanent
+    done
+
+    log "Writing runtime config to permanent config"
+    firewall-cmd --runtime-to-permanent
+}
diff --git a/pkg/deploy/generator/scripts/util.sh b/pkg/deploy/generator/scripts/util.sh
@@ -4,6 +4,10 @@
 # e. g. scp copying the script to a test VM
 # During normal deployment operations, the other util-*.sh files are prefixed to the VMSS scripts
 
+if [ "${DEBUG:-false}" == true ]; then
+    set -x
+fi
+
 util_common="util-common.sh"
 if [ -f "$util_common" ]; then
     # shellcheck source=util-common.sh