hack: run firewalld when $DOCKER_FIREWALLD is set

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2026-01-11 18:51:37 +00:00 · 2024-10-08 11:53:57 +02:00
parent 97b1233a15
commit 8883db20c5
4 changed files with 36 additions and 2 deletions
--- a/12
+++ b/12
@@ -16,6 +16,7 @@ ARG BUILDX_VERSION=0.17.1
 ARG COMPOSE_VERSION=v2.29.7

 ARG SYSTEMD="false"
+ARG FIREWALLD="false"
 ARG DOCKER_STATIC=1

 # REGISTRY_VERSION specifies the version of the registry to download from
@@ -502,7 +503,16 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
            systemd-sysv
 ENTRYPOINT ["hack/dind-systemd"]

-FROM dev-systemd-${SYSTEMD} AS dev-base
+FROM dev-systemd-${SYSTEMD} AS dev-firewalld-false
+
+FROM dev-systemd-true AS dev-firewalld-true
+RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
+    --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
+        apt-get update && apt-get install -y --no-install-recommends \
+            firewalld
+RUN sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf
+
+FROM dev-firewalld-${FIREWALLD} AS dev-base
 RUN groupadd -r docker
 RUN useradd --create-home --gid docker unprivilegeduser \
 && mkdir -p /home/unprivilegeduser/.local/share/docker \
--- a/4
+++ b/4
@@ -43,6 +43,7 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
+	-e DOCKER_FIREWALLD \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
 	-e DOCKER_LDFLAGS \
@@ -155,6 +156,9 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
+ifdef DOCKER_FIREWALLD
+DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
+endif

 BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS}
 BUILD_CMD := $(BUILDX) build
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -172,11 +172,16 @@ variable "SYSTEMD" {
  default = "false"
 }

+variable "FIREWALLD" {
+  default = "false"
+}
+
 target "dev" {
  inherits = ["_common"]
  target = "dev"
  args = {
    SYSTEMD = SYSTEMD
+    FIREWALLD = FIREWALLD
  }
  tags = ["docker-dev"]
  output = ["type=docker"]
--- a/hack/dind-systemd
+++ b/hack/dind-systemd
@@ -56,12 +56,27 @@ if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
 	}
 fi

+# Allow connections coming from the host (through eth0). This is needed to
+# access the daemon port (independently of which port is used), or run a
+# 'remote' Delve session, etc...
+if [ ${DOCKER_FIREWALLD:-} = "true" ]; then
+	cat > /etc/firewalld/zones/trusted.xml << EOF
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>Trusted</short>
+  <description>All network connections are accepted.</description>
+  <interface name="eth0"/>
+  <forward/>
+</zone>
+EOF
+fi
+
 env > /etc/docker-entrypoint-env

 cat > /etc/systemd/system/docker-entrypoint.target << EOF
 [Unit]
 Description=the target for docker-entrypoint.service
-Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service
+Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ ${DOCKER_FIREWALLD:-} = "true" ] && echo firewalld.service)
 EOF

 quoted_args="$(printf " %q" "${@}")"