feat: configure firewalld (#1892)

* feat: configure firewalld

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

Author: emosbaugh

.github/workflows/distros.yaml

@@ -41,6 +41,9 @@ jobs:
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          # see https://github.com/tonistiigi/binfmt/issues/215
+          image: tonistiigi/binfmt:qemu-v7.0.0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

cmd/installer/cli/firewalld.go

@@ -0,0 +1,178 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/helpers/firewalld"
+	"github.com/sirupsen/logrus"
+	"go.uber.org/multierr"
+)
+
+// configureFirewalld configures firewalld for the cluster. It adds the ec-net zone for pod and
+// service communication with default target ACCEPT, and opens the necessary ports in the default
+// zone for k0s and k8s components on the host network.
+func configureFirewalld(ctx context.Context, podNetwork, serviceNetwork string) error {
+	isActive, err := firewalld.IsFirewalldActive(ctx)
+	if err != nil {
+		return fmt.Errorf("check if firewalld is active: %w", err)
+	}
+	if !isActive {
+		logrus.Debugf("firewalld is not active, skipping configuration")
+		return nil
+	}
+
+	logrus.Debugf("firewalld is active, configuring")
+
+	cmdExists, err := firewalld.FirewallCmdExists(ctx)
+	if err != nil {
+		return fmt.Errorf("check if firewall-cmd exists: %w", err)
+	}
+	if !cmdExists {
+		logrus.Debugf("firewall-cmd not found but firewalld is active, skipping firewalld configuration")
+		return nil
+	}
+
+	err = ensureFirewalldECNetZone(ctx, podNetwork, serviceNetwork)
+	if err != nil {
+		return fmt.Errorf("ensure ec-net zone: %w", err)
+	}
+
+	err = ensureFirewalldDefaultZone(ctx)
+	if err != nil {
+		return fmt.Errorf("ensure default zone: %w", err)
+	}
+
+	err = firewalld.Reload(ctx)
+	if err != nil {
+		return fmt.Errorf("reload firewalld: %w", err)
+	}
+
+	return nil
+}
+
+// resetFirewalld removes all firewalld configuration added by the installer.
+func resetFirewalld(ctx context.Context) (finalErr error) {
+	cmdExists, err := firewalld.FirewallCmdExists(ctx)
+	if err != nil {
+		return fmt.Errorf("check if firewall-cmd exists: %w", err)
+	}
+	if !cmdExists {
+		return nil
+	}
+
+	err = resetFirewalldECNetZone(ctx)
+	if err != nil {
+		finalErr = multierr.Append(finalErr, fmt.Errorf("reset ec-net zone: %w", err))
+	}
+
+	err = resetFirewalldDefaultZone(ctx)
+	if err != nil {
+		finalErr = multierr.Append(finalErr, fmt.Errorf("reset default zone: %w", err))
+	}
+
+	err = firewalld.Reload(ctx)
+	if err != nil {
+		return fmt.Errorf("reload firewalld: %w", err)
+	}
+
+	return
+}
+
+func ensureFirewalldECNetZone(ctx context.Context, podNetwork, serviceNetwork string) error {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+		firewalld.WithZone("ec-net"),
+	}
+
+	exists, err := firewalld.ZoneExists(ctx, "ec-net")
+	if err != nil {
+		return fmt.Errorf("check if ec-net zone exists: %w", err)
+	} else if !exists {
+		err = firewalld.NewZone(ctx, "ec-net", opts...)
+		if err != nil {
+			return fmt.Errorf("create ec-net zone: %w", err)
+		}
+	}
+
+	// Set the default target to ACCEPT for pod and service networks
+	err = firewalld.SetZoneTarget(ctx, "ACCEPT", opts...)
+	if err != nil {
+		return fmt.Errorf("set target to ACCEPT: %w", err)
+	}
+
+	err = firewalld.AddSourceToZone(ctx, podNetwork, opts...)
+	if err != nil {
+		return fmt.Errorf("add pod network source: %w", err)
+	}
+
+	err = firewalld.AddSourceToZone(ctx, serviceNetwork, opts...)
+	if err != nil {
+		return fmt.Errorf("add service network source: %w", err)
+	}
+
+	// Add the calico interfaces
+	// This is redundant and overlaps with the pod network but we add it anyway
+	calicoIfaces := []string{"cali+", "tunl+", "vxlan-v6.calico", "vxlan.calico", "wg-v6.cali", "wireguard.cali"}
+	for _, iface := range calicoIfaces {
+		err = firewalld.AddInterfaceToZone(ctx, iface, opts...)
+		if err != nil {
+			return fmt.Errorf("add %s interface: %w", iface, err)
+		}
+	}
+
+	return nil
+}
+
+func resetFirewalldECNetZone(ctx context.Context) (finalErr error) {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+	}
+
+	exists, err := firewalld.ZoneExists(ctx, "ec-net")
+	if err != nil {
+		return fmt.Errorf("check if ec-net zone exists: %w", err)
+	} else if !exists {
+		return nil
+	}
+
+	err = firewalld.DeleteZone(ctx, "ec-net", opts...)
+	if err != nil {
+		return fmt.Errorf("delete ec-net zone: %w", err)
+	}
+
+	return
+}
+
+func ensureFirewalldDefaultZone(ctx context.Context) error {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+	}
+
+	// Allow other nodes to connect to k0s core components
+	ports := []string{"6443/tcp", "10250/tcp", "9443/tcp", "2380/tcp", "4789/udp"}
+	for _, port := range ports {
+		err := firewalld.AddPortToZone(ctx, port, opts...)
+		if err != nil {
+			return fmt.Errorf("add %s port: %w", port, err)
+		}
+	}
+
+	return nil
+}
+
+func resetFirewalldDefaultZone(ctx context.Context) (finalErr error) {
+	opts := []firewalld.Option{
+		firewalld.IsPermanent(),
+	}
+
+	ports := []string{"6443/tcp", "10250/tcp", "9443/tcp", "2380/tcp", "4789/udp"}
+	for _, port := range ports {
+		err := firewalld.RemovePortFromZone(ctx, port, opts...)
+		if err != nil {
+			finalErr = multierr.Append(finalErr, fmt.Errorf("remove %s port: %w", port, err))
+		}
+	}
+
+	return
+}

cmd/installer/cli/install.go

@@ -270,6 +270,11 @@ func runInstall(ctx context.Context, name string, flags InstallCmdFlags, metrics
 		return fmt.Errorf("unable to configure network manager: %w", err)
 	}
 
+	logrus.Debugf("configuring firewalld")
+	if err := configureFirewalld(ctx, flags.cidrCfg.PodCIDR, flags.cidrCfg.ServiceCIDR); err != nil {
+		logrus.Debugf("unable to configure firewalld: %v", err)
+	}
+
 	logrus.Debugf("running install preflights")
 	if err := runInstallPreflights(ctx, flags, metricsReporter); err != nil {
 		if errors.Is(err, preflights.ErrPreflightsHaveFail) {

cmd/installer/cli/join.go

@@ -158,6 +158,11 @@ func runJoin(ctx context.Context, name string, flags JoinCmdFlags, jcmd *kotsadm
 		return fmt.Errorf("unable to get join CIDR config: %w", err)
 	}
 
+	logrus.Debugf("configuring firewalld")
+	if err := configureFirewalld(ctx, cidrCfg.PodCIDR, cidrCfg.ServiceCIDR); err != nil {
+		logrus.Debugf("unable to configure firewalld: %v", err)
+	}
+
 	logrus.Debugf("running join preflights")
 	if err := runJoinPreflights(ctx, jcmd, flags, cidrCfg, metricsReporter); err != nil {
 		if errors.Is(err, preflights.ErrPreflightsHaveFail) {

cmd/installer/cli/reset.go

@@ -142,6 +142,12 @@ func ResetCmd(ctx context.Context, name string) *cobra.Command {
 				return err
 			}
 
+			logrus.Debugf("Resetting firewalld...")
+			err = resetFirewalld(ctx)
+			if !checkErrPrompt(assumeYes, force, err) {
+				return fmt.Errorf("failed to reset firewalld: %w", err)
+			}
+
 			if err := helpers.RemoveAll(runtimeconfig.PathToK0sConfig()); err != nil {
 				return fmt.Errorf("failed to remove k0s config: %w", err)
 			}
@@ -214,6 +220,8 @@ func ResetCmd(ctx context.Context, name string) *cobra.Command {
 	cmd.Flags().BoolVar(&assumeYes, "yes", false, "Assume yes to all prompts.")
 	cmd.Flags().SetNormalizeFunc(normalizeNoPromptToYes)
 
+	cmd.AddCommand(ResetFirewalldCmd(ctx, name))
+
 	return cmd
 }
 

cmd/installer/cli/reset_firewalld.go

@@ -0,0 +1,44 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig"
+	rcutil "github.com/replicatedhq/embedded-cluster/pkg/runtimeconfig/util"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func ResetFirewalldCmd(ctx context.Context, name string) *cobra.Command {
+	cmd := &cobra.Command{
+		Use:    "firewalld",
+		Short:  "Remove %s firewalld configuration from the current node",
+		Hidden: true,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if os.Getuid() != 0 {
+				return fmt.Errorf("reset firewalld command must be run as root")
+			}
+
+			rcutil.InitBestRuntimeConfig(cmd.Context())
+
+			os.Setenv("KUBECONFIG", runtimeconfig.PathToKubeConfig())
+			os.Setenv("TMPDIR", runtimeconfig.EmbeddedClusterTmpSubDir())
+
+			return nil
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := resetFirewalld(cmd.Context())
+			if err != nil {
+				return fmt.Errorf("failed to reset firewalld: %w", err)
+			}
+
+			logrus.Infof("Firewalld reset successfully")
+
+			return nil
+		},
+	}
+
+	return cmd
+}

cmd/installer/cli/restore.go

@@ -374,6 +374,11 @@ func runRestoreStepNew(ctx context.Context, name string, flags InstallCmdFlags,
 		return fmt.Errorf("unable to configure network manager: %w", err)
 	}
 
+	logrus.Debugf("configuring firewalld")
+	if err := configureFirewalld(ctx, flags.cidrCfg.PodCIDR, flags.cidrCfg.ServiceCIDR); err != nil {
+		logrus.Debugf("unable to configure firewalld: %v", err)
+	}
+
 	logrus.Debugf("materializing binaries")
 	if err := materializeFiles(flags.airgapBundle); err != nil {
 		return fmt.Errorf("unable to materialize binaries: %w", err)

dev/distros/dockerfiles/almalinux-8.Dockerfile

@@ -20,6 +20,7 @@ RUN dnf install -y \
   systemd-timesyncd \
   expect \
   vim \
+  firewalld \
   --allowerasing
 
 # Entrypoint for runtime configurations

e2e/install_test.go

@@ -95,6 +95,12 @@ func TestSingleNodeInstallationAlmaLinux8(t *testing.T) {
 		t.Fatalf("fail to check postupgrade state: %v: %s: %s", err, stdout, stderr)
 	}
 
+	t.Logf("%s: configuring firewalld", time.Now().Format(time.RFC3339))
+	line = []string{"firewalld-configure.sh"}
+	if stdout, stderr, err := tc.RunCommandOnNode(0, line); err != nil {
+		t.Fatalf("fail to configure firewalld: %v: %s: %s", err, stdout, stderr)
+	}
+
 	t.Logf("%s: installing embedded-cluster on node 0", time.Now().Format(time.RFC3339))
 	line = []string{"single-node-install.sh", "ui", os.Getenv("SHORT_SHA")}
 	if stdout, stderr, err := tc.RunCommandOnNode(0, line); err != nil {
@@ -111,6 +117,12 @@ func TestSingleNodeInstallationAlmaLinux8(t *testing.T) {
 		t.Fatalf("fail to check installation state: %v: %s: %s", err, stdout, stderr)
 	}
 
+	t.Logf("%s: validating firewalld", time.Now().Format(time.RFC3339))
+	line = []string{"firewalld-validate.sh"}
+	if stdout, stderr, err := tc.RunCommandOnNode(0, line); err != nil {
+		t.Fatalf("fail to validate firewalld: %v: %s: %s", err, stdout, stderr)
+	}
+
 	appUpgradeVersion := fmt.Sprintf("appver-%s-upgrade", os.Getenv("SHORT_SHA"))
 	testArgs := []string{appUpgradeVersion}
 
@@ -125,6 +137,12 @@ func TestSingleNodeInstallationAlmaLinux8(t *testing.T) {
 		t.Fatalf("fail to check postupgrade state: %v: %s: %s", err, stdout, stderr)
 	}
 
+	t.Logf("%s: resetting firewalld", time.Now().Format(time.RFC3339))
+	line = []string{"firewalld-reset.sh"}
+	if stdout, stderr, err := tc.RunCommandOnNode(0, line); err != nil {
+		t.Fatalf("fail to reset firewalld: %v: %s: %s", err, stdout, stderr)
+	}
+
 	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
 

e2e/scripts/firewalld-configure.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -euxo pipefail
+
+systemctl enable --now firewalld
+
+firewall-cmd --set-default-zone=drop
+firewall-cmd --reload