Install and run firewalld for CI's firewalld tests

The github action running bake expected FIREWALLD to be set, but DOCKER_FIREWALLD was set instead, so firewalld wasn't installed in the dev image. The dind-systemd script expected DOCKER_FIREWALLD to be set if it needed to run firewalld, and it was. But it had no effect. In CI, bake builds the image then make runs it - and the use the same env. So, align on FIREWALLD (as it's not a docker feature). Signed-off-by: Rob Murray <rob.murray@docker.com>
2026-01-11 10:41:43 +00:00 · 2025-03-19 15:35:33 +00:00
parent 0ab6f07c31
commit adfed82ab8
3 changed files with 7 additions and 7 deletions
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -90,7 +90,7 @@ jobs:
            echo "DOCKER_ROOTLESS=1" >> $GITHUB_ENV
          fi
          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
          if [[ "${{ matrix.mode }}" == *"systemd"* ]]; then
@@ -328,7 +328,7 @@ jobs:
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}systemd"
          fi
          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
@@ -518,7 +518,7 @@ jobs:
        run: |
          CACHE_DEV_SCOPE=dev
          if [[ "${{ matrix.mode }}" == *"firewalld"* ]]; then
-            echo "DOCKER_FIREWALLD=true" >> $GITHUB_ENV
+            echo "FIREWALLD=true" >> $GITHUB_ENV
            CACHE_DEV_SCOPE="${CACHE_DEV_SCOPE}firewalld"
          fi
          echo "CACHE_DEV_SCOPE=${CACHE_DEV_SCOPE}" >> $GITHUB_ENV
--- a/4
+++ b/4
@@ -38,7 +38,6 @@ DOCKER_ENVS := \
 	-e DOCKERCLI_INTEGRATION_REPOSITORY \
 	-e DOCKER_DEBUG \
 	-e DOCKER_EXPERIMENTAL \
-	-e DOCKER_FIREWALLD \
 	-e DOCKER_GITCOMMIT \
 	-e DOCKER_GRAPHDRIVER \
 	-e DOCKER_LDFLAGS \
@@ -50,6 +49,7 @@ DOCKER_ENVS := \
 	-e DOCKER_USERLANDPROXY \
 	-e DOCKERD_ARGS \
 	-e DELVE_PORT \
+	-e FIREWALLD \
 	-e GITHUB_ACTIONS \
 	-e TEST_FORCE_VALIDATE \
 	-e TEST_INTEGRATION_DIR \
@@ -150,7 +150,7 @@ DOCKER_BUILD_ARGS += --build-arg=DOCKERCLI_INTEGRATION_REPOSITORY
 ifdef DOCKER_SYSTEMD
 DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
 endif
-ifdef DOCKER_FIREWALLD
+ifdef FIREWALLD
 DOCKER_BUILD_ARGS += --build-arg=FIREWALLD=true
 endif

--- a/hack/dind-systemd
+++ b/hack/dind-systemd
@@ -66,7 +66,7 @@ fi
 # Allow connections coming from the host (through eth0). This is needed to
 # access the daemon port (independently of which port is used), or run a
 # 'remote' Delve session, etc...
-if [ "${DOCKER_FIREWALLD:-}" = "true" ]; then
+if [ "${FIREWALLD:-}" = "true" ]; then
 	cat > /etc/firewalld/zones/trusted.xml << EOF
 <?xml version="1.0" encoding="utf-8"?>
 <zone target="ACCEPT">
@@ -83,7 +83,7 @@ env > /etc/docker-entrypoint-env
 cat > /etc/systemd/system/docker-entrypoint.target << EOF
 [Unit]
 Description=the target for docker-entrypoint.service
-Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ "${DOCKER_FIREWALLD:-}" = "true" ] && echo firewalld.service)
+Requires=docker-entrypoint.service systemd-logind.service systemd-user-sessions.service $([ "${FIREWALLD:-}" = "true" ] && echo firewalld.service)
 EOF

 quoted_args="$(printf " %q" "${@}")"