Open p5 opened 4 months ago
One option using the ansible-firewalld
example is to adapt it to a multi-stage build, where the firewall rules are configured and then copied to the destination image.
FROM registry.fedoraproject.org/fedora:40 AS builder
ADD configure-firewall-playbook.yml .
RUN dnf -y install firewalld ansible && \
ansible-playbook configure-firewall-playbook.yml
FROM quay.io/fedora/fedora-coreos:stable
RUN rpm-ostree install firewalld
COPY --from=builder /etc/firewalld /etc/firewalld
RUN ostree container commit
It's not as elegant as a truly declarative approach, but could work.
If you are interested in using nftables
, they have scripting support which would probably be a better way forward - https://wiki.nftables.org/wiki-nftables/index.php/Scripting
Hey FCOS team!
Currently the only example you have for configuring a firewall is with Ansible, which brings in a bunch of unwanted dependencies.
It would be great if you could provide some examples of layering firewall rules (ideally in a
.d
directory) to demonstrate some of the common configurations someone may want to do on a FCOS system.For example, the OpenVPN setup scripts include the following, but it's not obvious how we can create an image with this configuration in a declarative manor at build time.
The title mentions nftables, but any file-based declarative approach would be appreciated.
Thank you Robert