summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorMatthew Heon <matthew.heon@gmail.com>2018-09-09 13:16:34 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-09-10 18:53:27 +0000
commit9405e3704fae9c30b24ad8807174639005b1db6c (patch)
tree96d6c02662364c965aeecca8ced8b1deccc17f2d /libpod
parent2afadeec6696fefac468a49c8ba24b0bc275aa75 (diff)
downloadpodman-9405e3704fae9c30b24ad8807174639005b1db6c.tar.gz
podman-9405e3704fae9c30b24ad8807174639005b1db6c.tar.bz2
podman-9405e3704fae9c30b24ad8807174639005b1db6c.zip
Vendor CNI plugins firewall code
The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
Diffstat (limited to 'libpod')
-rw-r--r--libpod/runtime.go39
1 files changed, 26 insertions, 13 deletions
diff --git a/libpod/runtime.go b/libpod/runtime.go
index c405eb773..8dc561cd8 100644
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@@ -13,6 +13,7 @@ import (
is "github.com/containers/image/storage"
"github.com/containers/image/types"
"github.com/containers/libpod/libpod/image"
+ "github.com/containers/libpod/pkg/firewall"
"github.com/containers/libpod/pkg/hooks"
sysreg "github.com/containers/libpod/pkg/registries"
"github.com/containers/libpod/pkg/rootless"
@@ -70,19 +71,20 @@ type RuntimeOption func(*Runtime) error
// Runtime is the core libpod runtime
type Runtime struct {
- config *RuntimeConfig
- state State
- store storage.Store
- storageService *storageService
- imageContext *types.SystemContext
- ociRuntime *OCIRuntime
- lockDir string
- netPlugin ocicni.CNIPlugin
- ociRuntimePath string
- conmonPath string
- valid bool
- lock sync.RWMutex
- imageRuntime *image.Runtime
+ config *RuntimeConfig
+ state State
+ store storage.Store
+ storageService *storageService
+ imageContext *types.SystemContext
+ ociRuntime *OCIRuntime
+ lockDir string
+ netPlugin ocicni.CNIPlugin
+ ociRuntimePath string
+ conmonPath string
+ valid bool
+ lock sync.RWMutex
+ imageRuntime *image.Runtime
+ firewallBackend firewall.FirewallBackend
}
// RuntimeConfig contains configuration options used to set up the runtime
@@ -507,6 +509,17 @@ func makeRuntime(runtime *Runtime) (err error) {
}
runtime.netPlugin = netPlugin
+ // Set up a firewall backend
+ backendType := ""
+ if os.Geteuid() != 0 {
+ backendType = "none"
+ }
+ fwBackend, err := firewall.GetBackend(backendType)
+ if err != nil {
+ return err
+ }
+ runtime.firewallBackend = fwBackend
+
// Set up the state
switch runtime.config.StateType {
case InMemoryStateStore: