Install and run firewalld for CI's firewalld tests

Signed-off-by: Albin Kerouanton <albinker@gmail.com> (cherry picked from commit 8883db20c5) Signed-off-by: Rob Murray <rob.murray@docker.com> (cherry picked from commit adfed82ab8) Signed-off-by: Andrey Epifanov <aepifanov@mirantis.com>
2026-01-11 18:51:37 +00:00 · 2024-10-08 11:53:57 +02:00
parent 270166cbe5
commit 0316eaaa23
5 changed files with 69 additions and 2 deletions
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -41,6 +41,25 @@ jobs:
      -
        name: Set up runner
        uses: ./.github/actions/setup-runner
+      -
+        name: Prepare
+        run: |
+          CACHE_DEV_SCOPE=dev
+          if [[ "${{ matrix.mode }}" == *"rootless"* ]]; then
+            # In rootless mode, tests will run in the host's namspace not the rootlesskit
+            # namespace. So, probably no different to non-rootless unit tests and can be
+            # removed from the test matrix.
+            echo "DOCKER_ROOTLESS=1" >> $GITHUB_ENV
+          fi
+          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
+            echo "FIREWALLD=true" >> $GITHUB_ENV
+            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
+          fi
+          if [[ "${{ matrix.mode }}" == *"systemd"* ]]; then
+            echo "SYSTEMD=true" >> $GITHUB_ENV
+            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
+          fi
+          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -204,6 +223,7 @@ jobs:
          - ""
          - rootless
          - systemd
+          - firewalld
          #- rootless-systemd FIXME: https://github.com/moby/moby/issues/44084
        exclude:
          - os: ubuntu-24.04 # FIXME: https://github.com/moby/moby/pull/49579#issuecomment-2698622223
@@ -229,6 +249,10 @@ jobs:
            echo "SYSTEMD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
          fi
+          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
+            echo "FIREWALLD=true" >> $GITHUB_ENV
+            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
+          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
@@ -372,6 +396,15 @@ jobs:
      -
        name: Set up tracing
        uses: ./.github/actions/setup-tracing
+      -
+        name: Prepare
+        run: |
+          CACHE_DEV_SCOPE=dev
+          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
+            echo "FIREWALLD=true" >> $GITHUB_ENV
+            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
+          fi
+          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
--- a/12
+++ b/12
@@ -16,6 +16,7 @@ ARG BUILDX_VERSION=0.12.1
 ARG COMPOSE_VERSION=v2.24.5

 ARG SYSTEMD="false"
+ARG FIREWALLD="false"
 ARG DOCKER_STATIC=1

 # REGISTRY_VERSION specifies the version of the registry to download from
@@ -500,7 +501,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            systemd-sysv
 ENTRYPOINT ["hack/dind-systemd"]

-FROM dev-systemd-${SYSTEMD} AS dev-base
+FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false
+
+FROM dev-systemd-true AS dev-firewalld-true
+RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
+        apt-get update && apt-get install -y --no-install-recommends \
+            firewalld
+RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf
+
+FROM dev-firewalld-${FIREWALLD} AS dev-base
 RUN groupadd -r docker
 RUN useradd --create-home --gid docker unprivilegeduser \
 && mkdir -p /home/unprivilegeduser/.local/share/docker \
--- a/4
+++ b/4
@@ -56,6 +56,7 @@ DOCKER_ENVS := \
 	-e DOCKER_USERLANDPROXY \
 	-e DOCKERD_ARGS \
 	-e DELVE_PORT \
+	-e FIREWALLD \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
@@ -149,6 +150,9 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
+ifdef FIREWALLD
+DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
+endif

 BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
 BUILD_CMD := $(BUILDX) build
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -172,11 +172,16 @@ variable "SYSTEMD" {
  default = "false"
 }

+variable "FIREWALLD" {
+  default = "false"
+}
+
 target "dev" {
  inherits = ["_common"]
  target = "dev"
  args = {
    SYSTEMD = SYSTEMD
+    FIREWALLD = FIREWALLD
  }
  tags = ["docker-dev"]
  output = ["type=docker"]
--- a/hack/dind-systemd
+++ b/hack/dind-systemd
@@ -56,12 +56,27 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
 	}
 fi

+# Allow connections coming from the host (through eth0). This is needed to
+# access the daemon port (independently of which port is used), or run a
+# 'remote' Delve session, etc...
+if [ "${FIREWALLD:-}" = "true" ]; then
+	cat > /etc/firewalld/zones/trusted.xml << EOF
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>Trusted</short>
+  <description>All network connections are accepted.</description>
+  <interface name="eth0"/>
+  <forward/>
+</zone>
+EOF
+fi
+
 env > /etc/docker-entrypoint-env

 cat > /etc/systemd/system/docker-entrypoint.target << EOF
 [Unit]
 Description=the target for docker-entrypoint.service
-Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service
+Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ "${FIREWALLD:-}" = "true" ] && echo firewalld.service)
 EOF

 quoted_args="$(printf " %q" "${@}")"