On Sun, Apr 23, 2017 at 11:33 PM, Dusty Mabe <dusty@dustymabe.com> wrote:

On 04/21/2017 01:42 PM, Jason DeTiberus wrote:
> While I can see firewalld improving the situation wrt documenting how to add/persist firewall changes for Atomic Host (especially when using moby/docker), I think there is a bigger concern with firewalld being absent. If a user is running multiple applications that modify the host firewall (docker, Kubernetes, OpenShift, etc), firewalld provides a way to make firewall modifications in a consistent and repeatable manner, where iptables does not. There is the --wait flag for iptables, however any applications/users that are interacting with iptables will need to ensure they use it consistently.

So you are saying firewalld makes your life easier if it was

Correct, The iptables-based management that is done in openshift-ansible has always been a hack that was only meant to be a stopgap until firewalld was fully supported up and down the entire stack. There are way too many edge cases that could cause issues with the create/save/restore process. We tried to limit those by using a dedicated chain for openshift-ansible rules, but having another process modify rules without using '-w' or other modifications to the firewall could inadvertently be persisted with the iptables-save.

As mentioned in another reply on the thread, layered packages would allow for firewalld to be used today, but the restart requirement adds another level of complexity that adds the potential for non-determinism to the OpenShift install process. Having both iptables and firewalld available in the base would allow for parity between AH-based and non-AH-based installs.

Jason DeTiberus