Add firewalld configuration override specific to azl#15648
Add firewalld configuration override specific to azl#15648binujp wants to merge 6 commits intotomls/base/mainfrom
Conversation
binujp
requested review from
Copilot,
reubeno and
tobiasb-ms
and removed request for
Copilot
| @@ -0,0 +1 @@ | |||
| enable firewalld.service | |||
There was a problem hiding this comment.
Have you looked at the 90-default.preset in azurelinux-release; it's already enabled. I would expect presets go there.
There was a problem hiding this comment.
Yes, I saw that presets all go there. My thought was unless azurelinux configuration is available should we enable and start firewalld. If we are sure that is the pattern we want to follow that sounds good.
There was a problem hiding this comment.
Those presets were mostly just inherited from Fedora; my recollection is that many services are preset-enabled in base Fedora, independent of product. Presumably the thinking is that a customer who doesn't want to use it can arrange not to install the package (or to remove it).
| @@ -0,0 +1,6 @@ | |||
| # We want systemd to manage all interfaces | |||
There was a problem hiding this comment.
@ddstreetmicrosoft I believe you had some input on the right approach here, what other distros typically do, etc.?
There was a problem hiding this comment.
The most robust approach is to let one framework manage all interfaces. Given we are considering only azure cloud deployments I would rather not complicate things. I see there may be cases where the machine is in a DMZ zone and can have NICs in different networks. Let us consider those as special cases to be handled by the customer.
There was a problem hiding this comment.
Ah, I should have clarified. My question was more around blanket DHCP enablement -- not having systemd-networkd manage the network interfaces.
| <!-- | ||
| <users> | ||
| <user name="root" password="INSERT-PASSWORD-HERE" groups="root" /> | ||
| <user name="root" password="INSERT-PASSWORD-HERE" groups="root" /> |
There was a problem hiding this comment.
Please remove these changes; you should be able to use cloud-init config to inject user account configs / credentials (e.g., via azldev image boot).
I'm happy to chat separately to get you unblocked with that.
| @@ -1,10 +1,10 @@ | |||
| [images.vm-base] | |||
There was a problem hiding this comment.
Are you up to date with the target branch? These comments were removed last week.
There was a problem hiding this comment.
I did rebase, this change was on top of my other PR #15599. Maybe that messed this up? I will check.
| # | ||
| # NOTE: This script is a throwaway script. Please think ~~twice~~ thrice before you | ||
| # consider adding anything to it. | ||
| # consider adding anything to it. Let us push all dev-tooling into azldev. |
|
|
||
| %install | ||
| install -d %{buildroot}%{_sysconfdir}/systemd/network | ||
| install -m 644 %{_sourcedir}/50-default.network %{buildroot}%{_sysconfdir}/systemd/network/50-default.network |
There was a problem hiding this comment.
Please see https://docs.fedoraproject.org/en-US/packaging-guidelines/RPM_Source_Dir/
Packages which use files itemized as Source# files, must refer to those files by their %{SOURCE#} macro name, and must not use $RPM_SOURCE_DIR or %{_sourcedir} to refer to those files.
This is done to ensure that Fedora SRPMS are properly generated. If a Source# item is renamed, a spec which refers to its old name may succeed locally (because the file is still in %{_sourcedir} along with the new file), but the proper file will not be included in the SRPM.
There was a problem hiding this comment.
TIL something, thanks Reuben!
| BuildArch: noarch | ||
|
|
||
| %description | ||
| Provides AZL specifc configuration overrides via sub-packages. These sub-packages will be pulled in by the relevant owning packages via reverse dependencies. |
There was a problem hiding this comment.
Pull request overview
This PR introduces firewalld configuration support for Azure Linux, establishing a zero-trust security posture for VM deployments. The changes enable firewalld with nftables backend and an Azure Linux-specific zone policy that only allows SSH access by default.
Changes:
- Added
azurelinux-configmeta-package withfirewalldandsystemd-networkdsub-packages for distro-specific configurations - Integrated firewalld into the VM base image with Azure Linux zone policy restricting access to SSH only
- Enhanced demo build script to support VM image building and testing with QEMU
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| scripts/demo-build.sh | Extended script to support VM image building, QEMU booting, and added validation checks for prerequisites |
| distro/azurelinux.distro.toml | Updated RHEL compatibility version from 10 to 11 |
| base/images/vm-base/vm-base.kiwi | Added firewalld packages, increased disk size, and enabled systemd networkd configuration |
| base/images/images.toml | Uncommented vm-base image definition to enable VM builds |
| base/comps/components.toml | Registered firewalld component |
| base/comps/azurelinux-config/firewalld-azurelinux.conf | Added comprehensive firewalld configuration with nftables backend and security settings |
| base/comps/azurelinux-config/azurelinux-firewalld-zone.xml | Defined Azure Linux firewall zone with SSH-only access policy |
| base/comps/azurelinux-config/azurelinux-config.spec | Created spec file for azurelinux-config meta-package with firewalld and systemd-networkd sub-packages |
| base/comps/azurelinux-config/azurelinux-config.comp.toml | Added component definition for azurelinux-config |
| base/comps/azurelinux-config/50-default.network | Added systemd-networkd configuration to manage all interfaces with DHCP |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ln -sf %{_sysconfdir}/firewalld/firewalld-azurelinux.conf %{_sysconfdir}/firewalld/firewalld.conf | ||
|
|
||
| %postun firewalld | ||
| ln -sf %{_sysconfdir}/firewalld/firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf |
There was a problem hiding this comment.
The %postun script references 'firewalld-standard.conf' which may not exist. When the package is uninstalled, this symlink creation will fail if the target file doesn't exist. Consider verifying the file exists or using a conditional check before creating the symlink.
| ln -sf %{_sysconfdir}/firewalld/firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf | |
| if [ -f %{_sysconfdir}/firewalld/firewalld-standard.conf ]; then | |
| ln -sf %{_sysconfdir}/firewalld/firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf | |
| fi |
| %description firewalld | ||
| Provides Azure Linux specific policies and zones for firewalld. | ||
|
|
||
| %install |
There was a problem hiding this comment.
as with the other PR, distro-provided files should go into /usr/lib; the /etc dir is generally for users/admins
| @@ -0,0 +1,121 @@ | |||
| # firewalld config file | |||
There was a problem hiding this comment.
I would greatly like to see a PR with individual commits for every single configuration parameter added here, with specific explanation for why we need to add the config
| [components.file] | ||
| [components.filesystem] | ||
| [components.findutils] | ||
| [components.firewalld] |
There was a problem hiding this comment.
Is this PR both adding the firewalld package itself, and adding azl-specific config in a separate package? IMHO simply adding firewalld should be completely separate - that should be simple to review/commit.
| format="vhdx" | ||
| initrd_system="dracut" | ||
| filesystem="ext4" | ||
| kernelcmdline="console=ttyS0 rd.shell=0 systemd.getty_auto=false" |
There was a problem hiding this comment.
what do these changes have to do with firewalld configuration overrides?
|
Similiar to my comment in the networkd pr, I set up a branch that I think logically breaks up this pr into parts, specifically: feat: add firewalld package to kiwi vm-base definition i put both of these in a separate pr update gitignore file these 2 are also in the network pr; i think the gitignore change can wait for @binujp to get back, and the rhel version bump needs explanation uncomment kiwi vm xml to add definition for root user this shouldn't be merged, in fact i think the root user definition (even though its commented out) needs to be removed from the file add azurelinux-config spec file with a definition for azurelinux-config-firewalld this defines the add systemd-networkd config to azurelinux-config package this seems to be carried over from the networkd pr, and doesn't belong in this pr feat: add azurelinux-config packages to kiwi vm-base definition since I don't think we should create the same opinion as the other pr; don't update this script, as it should be removed |
|
I rebased my branch so the links in the previous comment are stale, but you can go direction to my branch to see the commits: |
|
Ok, after comparing the I think we should close this PR and go with the firewalld defaults as currently provided. Closing the |
|
I opened pr #15740 to remove mdns from the public zone, and am closing this pr |
4 participants
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Firewalld configuration is driven of a top level config files and then zones tied to some or all interfaces and the zone configuration itself has the rules for the net filters. We are using nftables, an azurelinux zone policy which opens only ssh and optionally dhcpv6-client port. This change adds a sub-package to azurelinux-config which enables all that.
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology