Enabling firewall on MicroOS during installation
Hi, I just installed MicroOS on bare metal (x86_64) using openSUSE-MicroOS-DVD-x86_64-Snapshot20210329-Media.iso. During the process I selected to enable the firewall, to which the installer responded that I needed to manually select "firewalld" for installation. I clicked on the "Software" link above the message and then the "Details" button in the following view. At that point, I can select the "Package Classification" view and "All Packages" to see the list of available packages to install. I didn't see "firewalld". Clicking on the "Search" tab instead of the "View" tab in this more detailed package installer, I searched for "firewall" in "Name", "Keywords", "Summary", "Description" and I get nothing as a result. If I add "RPM Provides" to the above list, the "MicroOS-release" package appears. Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install. Suggestions? For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact. MicroOS is an interesting distribution--thanks for all of the work and creativity! Paul
On Wed, 2021-03-31 at 18:42 -0600, Paul Graham wrote:
Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install.
Suggestions?
Mmm... Maybe it's not in the iso? Point is, why you need the firewall on the host and are you sure it will work well? I'm not a networking expert, but you'll have containers there that needs to control iptables to work. Then the firewall will try to do the same and there may be issues.
For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact.
Installing after the fact should work. I did that, as an experiment, and it seemed to work fine. It was on a MicroOS Desktop system, but that should not make too big of a difference, at least for what concerns installing and running it. About the conflict over iptables mentioned above, well, I've run firewalld on this MicroOS desktop box for a while and was using toolbox (which is a podman container) intensively and had no issues. But I genuinely don't know whether that would be the same on a proper container host system. Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
Hi, On Thu, Apr 01, Dario Faggioli wrote:
On Wed, 2021-03-31 at 18:42 -0600, Paul Graham wrote:
Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install.
Suggestions?
Mmm... Maybe it's not in the iso?
Most likely.
Point is, why you need the firewall on the host and are you sure it will work well? I'm not a networking expert, but you'll have containers there that needs to control iptables to work. Then the firewall will try to do the same and there may be issues.
podman is using the firewalld-cmd to set the rules, that's not the problem. But changes to firewall rules can flush the rules set by podman, and this will kill your container network. The use-case for a firewall isn't clear to me here, too: MicroOS as container host has exactly one open port: sshd. If you don't want that: stop the service. Else you have to explicit export ports of containers to be visible outside. If you want that, then you need to do that always twice: for podman and for the firewall. So the only use-case I see is, if you accidently exports ports to containers. But in the same way you could accidently open ports in the firewall. Thorsten
For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact.
Installing after the fact should work.
I did that, as an experiment, and it seemed to work fine. It was on a MicroOS Desktop system, but that should not make too big of a difference, at least for what concerns installing and running it.
About the conflict over iptables mentioned above, well, I've run firewalld on this MicroOS desktop box for a while and was using toolbox (which is a podman container) intensively and had no issues. But I genuinely don't know whether that would be the same on a proper container host system.
Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
Thanks for both of your responses. I am looking at using MicroOS in more of an embedded application and am just getting familiar with its features and workflow. I guess I regularly use firewalls to guarantee that certain services are not accidentally exposed to the outside world, while they can be used locally on the host--this comes from a more conventional desktop and server experience, of course. In the case of MicroOS, your points are intriguing. If I understand what you are saying, since the ports for containers have to be (should be?) explicitly managed, they are unlikely to be exposed by accident to the network. Furthermore, I am assuming that there is so little running on the host OS that the traditional use case for a firewall to protect host services may not be relevant. I guess I am not used to systems that are so minimally configured with software, which is a nice feature from a security and maintenance point of view. If you wanted MicroOS to build a firewall device, for example, it sounds like users have to be careful about the interactions between the firewall and the containers, if a firewall is installed on the host. I haven't thought through all of the implications yet. I am assuming that building a firewall device isn't a crazy idea with MicroOS. It does sound like, though, that the ISO I used for installation is missing firewalld as a package. Once the system was installed, though, I was able to install firewalld after the fact. Thanks for the information, Paul On Thu, Apr 1, 2021 at 1:56 AM Thorsten Kukuk <kukuk@suse.de> wrote:
Hi,
On Thu, Apr 01, Dario Faggioli wrote:
On Wed, 2021-03-31 at 18:42 -0600, Paul Graham wrote:
Anyway, I may have missed how to install "firewalld", but, the best I can tell, there is no "firewalld" package that I can install.
Suggestions?
Mmm... Maybe it's not in the iso?
Most likely.
Point is, why you need the firewall on the host and are you sure it will work well? I'm not a networking expert, but you'll have containers there that needs to control iptables to work. Then the firewall will try to do the same and there may be issues.
podman is using the firewalld-cmd to set the rules, that's not the problem. But changes to firewall rules can flush the rules set by podman, and this will kill your container network.
The use-case for a firewall isn't clear to me here, too: MicroOS as container host has exactly one open port: sshd. If you don't want that: stop the service.
Else you have to explicit export ports of containers to be visible outside. If you want that, then you need to do that always twice: for podman and for the firewall. So the only use-case I see is, if you accidently exports ports to containers. But in the same way you could accidently open ports in the firewall.
Thorsten
For now, I am going to try things out without firewalld installed at install time and see if I can install it after the fact.
Installing after the fact should work.
I did that, as an experiment, and it seemed to work fine. It was on a MicroOS Desktop system, but that should not make too big of a difference, at least for what concerns installing and running it.
About the conflict over iptables mentioned above, well, I've run firewalld on this MicroOS desktop box for a while and was using toolbox (which is a podman container) intensively and had no issues. But I genuinely don't know whether that would be the same on a proper container host system.
Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)
participants (3)
-
Dario Faggioli -
Paul Graham -
Thorsten Kukuk