From 9405e3704fae9c30b24ad8807174639005b1db6c Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Sun, 9 Sep 2018 13:16:34 -0400 Subject: Vendor CNI plugins firewall code The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon Closes: #1431 Approved by: baude --- libpod/runtime.go | 39 ++++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) (limited to 'libpod') diff --git a/libpod/runtime.go b/libpod/runtime.go index c405eb773..8dc561cd8 100644 --- a/libpod/runtime.go +++ b/libpod/runtime.go @@ -13,6 +13,7 @@ import ( is "github.com/containers/image/storage" "github.com/containers/image/types" "github.com/containers/libpod/libpod/image" + "github.com/containers/libpod/pkg/firewall" "github.com/containers/libpod/pkg/hooks" sysreg "github.com/containers/libpod/pkg/registries" "github.com/containers/libpod/pkg/rootless" @@ -70,19 +71,20 @@ type RuntimeOption func(*Runtime) error // Runtime is the core libpod runtime type Runtime struct { - config *RuntimeConfig - state State - store storage.Store - storageService *storageService - imageContext *types.SystemContext - ociRuntime *OCIRuntime - lockDir string - netPlugin ocicni.CNIPlugin - ociRuntimePath string - conmonPath string - valid bool - lock sync.RWMutex - imageRuntime *image.Runtime + config *RuntimeConfig + state State + store storage.Store + storageService *storageService + imageContext *types.SystemContext + ociRuntime *OCIRuntime + lockDir string + netPlugin ocicni.CNIPlugin + ociRuntimePath string + conmonPath string + valid bool + lock sync.RWMutex + imageRuntime *image.Runtime + firewallBackend firewall.FirewallBackend } // RuntimeConfig contains configuration options used to set up the runtime @@ -507,6 +509,17 @@ func makeRuntime(runtime *Runtime) (err error) { } runtime.netPlugin = netPlugin + // Set up a firewall backend + backendType := "" + if os.Geteuid() != 0 { + backendType = "none" + } + fwBackend, err := firewall.GetBackend(backendType) + if err != nil { + return err + } + runtime.firewallBackend = fwBackend + // Set up the state switch runtime.config.StateType { case InMemoryStateStore: -- cgit v1.2.3-54-g00ecf