diff options
author | Matthew Heon <matthew.heon@gmail.com> | 2018-09-09 13:16:34 -0400 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-09-10 18:53:27 +0000 |
commit | 9405e3704fae9c30b24ad8807174639005b1db6c (patch) | |
tree | 96d6c02662364c965aeecca8ced8b1deccc17f2d /libpod | |
parent | 2afadeec6696fefac468a49c8ba24b0bc275aa75 (diff) | |
download | podman-9405e3704fae9c30b24ad8807174639005b1db6c.tar.gz podman-9405e3704fae9c30b24ad8807174639005b1db6c.tar.bz2 podman-9405e3704fae9c30b24ad8807174639005b1db6c.zip |
Vendor CNI plugins firewall code
The upstream CNI project has a PR open for adding iptables and
firewalld support, but this has been stalled for the better part
of a year upstream.
On advice of several maintainers, we are vendoring this code into
libpod, to perform the relevant firewall configuration ourselves.
Signed-off-by: Matthew Heon <matthew.heon@gmail.com>
Closes: #1431
Approved by: baude
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/runtime.go | 39 |
1 files changed, 26 insertions, 13 deletions
diff --git a/libpod/runtime.go b/libpod/runtime.go index c405eb773..8dc561cd8 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -13,6 +13,7 @@ import ( is "github.com/containers/image/storage" "github.com/containers/image/types" "github.com/containers/libpod/libpod/image" + "github.com/containers/libpod/pkg/firewall" "github.com/containers/libpod/pkg/hooks" sysreg "github.com/containers/libpod/pkg/registries" "github.com/containers/libpod/pkg/rootless" @@ -70,19 +71,20 @@ type RuntimeOption func(*Runtime) error // Runtime is the core libpod runtime type Runtime struct { - config *RuntimeConfig - state State - store storage.Store - storageService *storageService - imageContext *types.SystemContext - ociRuntime *OCIRuntime - lockDir string - netPlugin ocicni.CNIPlugin - ociRuntimePath string - conmonPath string - valid bool - lock sync.RWMutex - imageRuntime *image.Runtime + config *RuntimeConfig + state State + store storage.Store + storageService *storageService + imageContext *types.SystemContext + ociRuntime *OCIRuntime + lockDir string + netPlugin ocicni.CNIPlugin + ociRuntimePath string + conmonPath string + valid bool + lock sync.RWMutex + imageRuntime *image.Runtime + firewallBackend firewall.FirewallBackend } // RuntimeConfig contains configuration options used to set up the runtime @@ -507,6 +509,17 @@ func makeRuntime(runtime *Runtime) (err error) { } runtime.netPlugin = netPlugin + // Set up a firewall backend + backendType := "" + if os.Geteuid() != 0 { + backendType = "none" + } + fwBackend, err := firewall.GetBackend(backendType) + if err != nil { + return err + } + runtime.firewallBackend = fwBackend + // Set up the state switch runtime.config.StateType { case InMemoryStateStore: |