Enabling firewall on MicroOS during installation
Hi, I just installed MicroOS on bare metal (x86_64) using openSUSE-MicroOS-DVD-x86_64-Snapshot20210329-Media.iso. During the process I selected to enable the firewall, to which the installer responded that I needed to manually select "firewalld" for installation. I clicked on the "Software" link above the message and then the "Details" button in the following view. At that point, I can select the "Package Classification" view and "All Packages" to see the list of available packages to install. I didn't see "firewalld". Clicking on the "Search" tab instead of the "View" tab in this more detailed package installer, I searched for "firewall" in "Name", "Keywords", "Summary", "Description" and I get nothing as a result. If I add "RPM Provides" to the above list, the "MicroOS-release" package appears. Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install. Suggestions? For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact. MicroOS is an interesting distribution--thanks for all of the work and creativity! Paul
On Wed, 2021-03-31 at 18:42 -0600, Paul Graham wrote:
Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install.
Suggestions?
Mmm... Maybe it's not in the iso? Point is, why you need the firewall on the host and are you sure it will work well? I'm not a networking expert, but you'll have containers there that needs to control iptables to work. Then the firewall will try to do the same and there may be issues.
For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact.
Installing after the fact should work.
I did that, as an experiment, and it seemed to work fine. It was on a
MicroOS Desktop system, but that should not make too big of a
difference, at least for what concerns installing and running it.
About the conflict over iptables mentioned above, well, I've run
firewalld on this MicroOS desktop box for a while and was using toolbox
(which is a podman container) intensively and had no issues. But I
genuinely don't know whether that would be the same on a proper
container host system.
Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<
Hi, On Thu, Apr 01, Dario Faggioli wrote:
On Wed, 2021-03-31 at 18:42 -0600, Paul Graham wrote:
Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install.
Suggestions?
Mmm... Maybe it's not in the iso?
Most likely.
Point is, why you need the firewall on the host and are you sure it will work well? I'm not a networking expert, but you'll have containers there that needs to control iptables to work. Then the firewall will try to do the same and there may be issues.
podman is using the firewalld-cmd to set the rules, that's not the problem. But changes to firewall rules can flush the rules set by podman, and this will kill your container network. The use-case for a firewall isn't clear to me here, too: MicroOS as container host has exactly one open port: sshd. If you don't want that: stop the service. Else you have to explicit export ports of containers to be visible outside. If you want that, then you need to do that always twice: for podman and for the firewall. So the only use-case I see is, if you accidently exports ports to containers. But in the same way you could accidently open ports in the firewall. Thorsten
For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact.
Installing after the fact should work.
I did that, as an experiment, and it seemed to work fine. It was on a MicroOS Desktop system, but that should not make too big of a difference, at least for what concerns installing and running it.
About the conflict over iptables mentioned above, well, I've run firewalld on this MicroOS desktop box for a while and was using toolbox (which is a podman container) intensively and had no issues. But I genuinely don't know whether that would be the same on a proper container host system.
Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <
> (Raistlin Majere)
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
Thanks for both of your responses. I am looking at using MicroOS in
more of an embedded application and am just getting familiar with its
features and workflow.
I guess I regularly use firewalls to guarantee that certain services
are not accidentally exposed to the outside world, while they can be
used locally on the host--this comes from a more conventional desktop
and server experience, of course. In the case of MicroOS, your points
are intriguing. If I understand what you are saying, since the ports
for containers have to be (should be?) explicitly managed, they are
unlikely to be exposed by accident to the network. Furthermore, I am
assuming that there is so little running on the host OS that the
traditional use case for a firewall to protect host services may not
be relevant. I guess I am not used to systems that are so minimally
configured with software, which is a nice feature from a security and
maintenance point of view.
If you wanted MicroOS to build a firewall device, for example, it
sounds like users have to be careful about the interactions between
the firewall and the containers, if a firewall is installed on the
host. I haven't thought through all of the implications yet. I am
assuming that building a firewall device isn't a crazy idea with
MicroOS.
It does sound like, though, that the ISO I used for installation is
missing firewalld as a package. Once the system was installed,
though, I was able to install firewalld after the fact.
Thanks for the information,
Paul
On Thu, Apr 1, 2021 at 1:56 AM Thorsten Kukuk
Hi,
On Thu, Apr 01, Dario Faggioli wrote:
On Wed, 2021-03-31 at 18:42 -0600, Paul Graham wrote:
Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install.
Suggestions?
Mmm... Maybe it's not in the iso?
Most likely.
Point is, why you need the firewall on the host and are you sure it will work well? I'm not a networking expert, but you'll have containers there that needs to control iptables to work. Then the firewall will try to do the same and there may be issues.
podman is using the firewalld-cmd to set the rules, that's not the problem. But changes to firewall rules can flush the rules set by podman, and this will kill your container network.
The use-case for a firewall isn't clear to me here, too: MicroOS as container host has exactly one open port: sshd. If you don't want that: stop the service.
Else you have to explicit export ports of containers to be visible outside. If you want that, then you need to do that always twice: for podman and for the firewall. So the only use-case I see is, if you accidently exports ports to containers. But in the same way you could accidently open ports in the firewall.
Thorsten
For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact.
Installing after the fact should work.
I did that, as an experiment, and it seemed to work fine. It was on a MicroOS Desktop system, but that should not make too big of a difference, at least for what concerns installing and running it.
About the conflict over iptables mentioned above, well, I've run firewalld on this MicroOS desktop box for a while and was using toolbox (which is a podman container) intensively and had no issues. But I genuinely don't know whether that would be the same on a proper container host system.
Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <
> (Raistlin Majere) -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
participants (3)
-
Dario Faggioli
-
Paul Graham
-
Thorsten Kukuk