Add firewalld configuration override specific to azl

.gitignore

@@ -1,2 +1,3 @@
 build/
 out/
+[\.]*~

base/comps/azurelinux-config/50-default.network

@@ -0,0 +1,6 @@
+# We want systemd to manage all interfaces
+[Match]
+Name=*
+
+[Network]
+DHCP=yes

base/comps/azurelinux-config/azurelinux-config.comp.toml

@@ -0,0 +1,2 @@
+[components.azurelinux-config]
+spec = { type = "local", path = "azurelinux-config.spec" }

base/comps/azurelinux-config/azurelinux-config.spec

@@ -0,0 +1,60 @@
+%define is_development 1
+
+Summary:        Azure Linux configuration override meta-package
+Name:           azurelinux-config
+Version:        4.0
+Release:        %autorelease %[0%{?is_development} ? "-p" : ""]
+License:        MIT
+URL:            https://aka.ms/azurelinux
+
+Source1:        50-default.network
+Source2:        azurelinux-firewalld-zone.xml
+Source3:        firewalld-azurelinux.conf
+
+BuildArch:      noarch
+
+%description
+Provides AZL specific configuration overrides via sub-packages. These sub-packages will be pulled in by the relevant owning packages via reverse dependencies.
+
+
+%package systemd-networkd
+Summary:        Azure Linux specific configuration for systemd-networkd.
+Requires:       systemd-networkd
+# This is a reverse dependency to make systemd-networkd pull-in this package.
+# It is still experimental. Consider this as a placeholder.
+Supplements:    systemd-networkd
+
+%description systemd-networkd
+Provides systemd-networkd configuration installed at /etc/systemd/network which asks systemd to manage all interfaces on the system.
+
+%package firewalld
+Summary:        Azure Linux firewall policies
+Requires:       firewalld
+Supplements:    firewalld
+
+%description firewalld
+Provides Azure Linux specific policies and zones for firewalld. 
+
+%install
+install -d %{buildroot}%{_sysconfdir}/systemd/network
+install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/systemd/network/50-default.network
+install -d %{buildroot}%{_sysconfdir}/firewalld/zones
+install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/firewalld/zones/azurelinux.xml
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/firewalld/firewalld-azurelinux.conf
+
+# We need the post/postun symlink to avoid littering /etc/firewalld with rpm save files.
+%post firewalld
+ln -sf %{_sysconfdir}/firewalld/firewalld-azurelinux.conf %{_sysconfdir}/firewalld/firewalld.conf
+
+%postun firewalld
+ln -sf %{_sysconfdir}/firewalld/firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf
+
+%files systemd-networkd
+%config(noreplace) /etc/systemd/network/50-default.network
+
+%files firewalld
+%config(noreplace) /etc/firewalld/zones/azurelinux.xml
+%config(noreplace) /etc/firewalld/firewalld-azurelinux.conf
+
+%changelog
+%autochangelog

base/comps/azurelinux-config/azurelinux-firewalld-zone.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>azurelinux</short>
+  <description>For use in azure cloud vms with zero trust policy. Only ssh is allowed by default. If we need dynamic IPv6 addressing dhcpv6-client will have to be enabled.</description>
+  <service name="ssh"/>
+  <!--
+  <service name="dhcpv6-client"/>
+  -->
+  <forward/>
+</zone>

base/comps/azurelinux-config/firewalld-azurelinux.conf

@@ -0,0 +1,121 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=azurelinux
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld.
+# Default: yes
+CleanupOnExit=yes
+
+# Clean up kernel modules on exit
+# If set to yes or true the firewall related kernel modules will be
+# unloaded on exit or stop of firewalld. This might attempt to unload
+# modules not originally loaded by firewalld.
+# Default: no
+CleanupModulesOnExit=no
+
+# IPv6_rpfilter
+# Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704.
+# Possible values:
+#   - strict: Performs "strict" filtering as per RFC 3704. This check
+#             verifies that the in ingress interface is the same interface
+#             that would be used to send a packet reply to the source. That
+#             is, ingress == egress.      
+#   - loose: Performs "loose" filtering as per RFC 3704. This check only
+#            verifies that there is a route back to the source through any
+#            interface; even if it's not the same one on which the packet
+#            arrived.
+#   - strict-forward: This is almost identical to "strict", but does not perform
+#                     RPF for packets targeted to the host (INPUT).
+#   - loose-forward: This is almost identical to "loose", but does not perform
+#                    RPF for packets targeted to the host (INPUT).
+#   - no: RPF is completely disabled.
+#
+# The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
+# Default: strict
+IPv6_rpfilter=strict
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=off
+
+# FirewallBackend
+# Selects the firewall backend implementation.
+# Choices are:
+#	- nftables (default)
+#	- iptables (iptables, ip6tables, ebtables and ipset)
+# Note: The iptables backend is deprecated. It will be removed in a future
+# release.
+FirewallBackend=nftables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+FlushAllOnReload=yes
+
+# ReloadPolicy
+# Policy during reload. By default all traffic except for established
+# connections is dropped while the rules are updated. Set to "DROP", "REJECT"
+# or "ACCEPT". Alternatively, specify it per table, like
+# "OUTPUT:ACCEPT,INPUT:DROP,FORWARD:REJECT".
+# Default: ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
+ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+# correspond to IPv4 addresses that should not be routed over the public
+# internet.
+# Defaults to "yes".
+RFC3964_IPv4=yes
+
+# StrictForwardPorts
+# If set to yes, the generated destination NAT (DNAT) rules will NOT accept
+# traffic that was DNAT'd by other entities, e.g. docker. Firewalld will be
+# strict and not allow published container ports until they're explicitly
+# allowed via firewalld.
+# If set to no, then docker (and podman) integrates seamlessly with firewalld.
+# Published container ports are implicitly allowed.
+# Defaults to "no".
+StrictForwardPorts=no
+
+# NftablesFlowtable
+# This may improve forwarded traffic throughput by enabling nftables flowtable.
+# It is a software fastpath and avoids calling nftables rule evaluation for
+# data packets. This only works for TCP and UDP traffic.
+# The value is a space separated list of interfaces.
+# Example value "eth0 eth1".
+# Defaults to "off".
+NftablesFlowtable=off
+
+# NftablesCounters
+# If set to yes, add a counter to every nftables rule. This is useful for
+# debugging and comes with a small performance cost.
+# Defaults to "no".
+NftablesCounters=no
+
+# NftablesTableOwner
+# If set to yes, the generated nftables rule set will be owned exclusively by
+# firewalld. This prevents other entities from mistakenly (or maliciously)
+# modifying firewalld's rule set. If you intentionally modify firewalld's
+# rules, then you will have to set this to "no".
+# Defaults to "yes".
+NftablesTableOwner=yes

base/comps/components.toml

@@ -57,6 +57,7 @@ spec = { type = "upstream", upstream-distro = { name = "fedora", version = "rawh
 [components.file]
 [components.filesystem]
 [components.findutils]
+[components.firewalld]
 [components.fonts-rpm-macros]
 [components.fstrm]
 [components.fuse]

base/images/images.toml

@@ -1,6 +1,6 @@
-# [images.vm-base]
-# description = "VM Base Image"
-# definition = { type = "kiwi", path = "vm-base/vm-base.kiwi" }
+[images.vm-base]
+description = "VM Base Image"
+definition = { type = "kiwi", path = "vm-base/vm-base.kiwi" }
 
 # [images.container-base]
 # description = "Container Base Image"

base/images/vm-base/vm-base.kiwi

@@ -18,14 +18,14 @@
             format="vhdx"
             initrd_system="dracut"
             filesystem="ext4"
-            kernelcmdline="console=ttyS0 rd.shell=0 systemd.getty_auto=false"
+            kernelcmdline="console=ttyS0 rd.shell=0"
             firmware="uefi"
             overlayroot="false"
             eficsm="false"
             bootpartition="false"
             efipartsize="200">
             <bootloader name="systemd_boot" timeout="0" />
-            <size unit="G">2</size>
+            <size unit="G">4</size>
             <initrd action="setup">
                 <dracut uefi="true"/>
             </initrd>
@@ -56,6 +56,8 @@
         <package name="dnf" />
         <package name="dracut-config-generic" />
         <package name="dracut-kiwi-oem-repart"/>
+        <package name="firewalld"/>
+        <package name="azurelinux-config-firewalld"/>
         <package name="glibc-langpack-en" />
         <package name="glibc-locale-source" />
         <package name="glibc-minimal-langpack" />
@@ -86,7 +88,7 @@
         <package name="sudo" />
         <package name="systemd-boot" />
         <package name="systemd-networkd" />
-        <package name="systemd-resolved" />
+        <package name="azurelinux-config-systemd-networkd" />
         <package name="systemd-resolved" />
         <package name="systemd" />
         <package name="tar" />
@@ -114,9 +116,7 @@
         <package name="system-release" />
     </packages>
 
-    <!--
     <users>
-        <user name="root" password="INSERT-PASSWORD-HERE" groups="root" />
+          <user name="root" password="INSERT-PASSWORD-HERE" groups="root" />
     </users>
-    -->
-</image>
+</image>

distro/azurelinux.distro.toml

@@ -15,4 +15,4 @@ spec = { type = "upstream", upstream-distro = { name = "fedora", version = "43"
 dist = ".azl4"
 vendor = "Microsoft Corporation"
 distribution = "Azure Linux"
-rhel = "10"
+rhel = "11"

scripts/demo-build.sh

@@ -1,9 +1,14 @@
 #!/bin/bash
-set -euxo pipefail
+set -euo pipefail
+exec 3> ./demo-build.trc
+BASH_XTRACEFD=3
+set -x
+
+echo -e "\e[0;33mbash trace, -x output is in ./demo-build.trc\e[0m"
 
 #
 # NOTE: This script is a throwaway script. Please think ~~twice~~ thrice before you
-# consider adding anything to it.
+# consider adding anything to it. Let us push all dev-tooling into azldev.
 #
 
 # Confirm working dir.
@@ -13,29 +18,75 @@ if [ ! -f azldev.toml ]; then
 fi
 
 # Check prereqs.
-for prereq in azldev kiwi createrepo_c docker; do
+for prereq in azldev kiwi createrepo_c docker mock qemu-system-x86_64 ; do
     if ! command -v $prereq >/dev/null 2>&1; then
         echo "ERROR: Missing prerequisite '$prereq'." >&2
         exit 1
     fi
 done
 
-# Build azurelinux-rpm-config to generate system macros, etc.
+if [ "$(getenforce)" != "Permissive" ] ; then
+    echo "SElinux is not set to 'Permissive'."
+    echo "That is required for kiwi to build images, aborting."
+    exit 1
+fi
+
+if [[ "$#" -ne 1 || ! "$1" =~ container|vm|vm-boot ]] ; then
+    echo "Usage: $0 <container|vm|vm-boot>"
+    echo "Build container or vm image, or build vm image and boot with qemu."
+    exit 1
+fi
+
+image_type="$1"
+echo "Building a \"$image_type\" image"
+
+# Build azurelinux-rpm-config to generate systemd macros, etc.
 azldev comp build azurelinux-rpm-config && createrepo_c ./base/out
+
 # Build azurelinux-release and azurelinux-repos to provide repo files and release info.
 # They require the rpm-config package to be built first.
 azldev comp build azurelinux-release --local-repo ./base/out && createrepo_c ./base/out
 azldev comp build azurelinux-repos --local-repo ./base/out && createrepo_c ./base/out
+azldev comp build azurelinux-config --local-repo ./base/out && createrepo_c ./base/out
+
 # Build rpm to ensure the azl-specific vendor tag is configured.
 azldev comp build rpm --local-repo ./base/out && createrepo_c ./base/out
-# Build a base container image using these private RPMs and upstream Fedora packages.
-sudo kiwi --loglevel 10 \
-    --kiwi-file container-base.kiwi \
-    system build \
-    --description ./base/images/container-base \
-    --target-dir ./base/out/images \
-    --add-repo="file:///$PWD/base/out,rpm-md,azl,1"
-
-# Run a command in the container to verify.
-xzcat ./base/out/images/azl4-container-base.x86_64-0.1.docker.tar.xz | docker load
-docker run -it --rm microsoft/azurelinux/base/core:4.0 cat /etc/os-release
+
+function build_container_image() {
+    # Build a base container image using these private RPMs and upstream Fedora packages.
+    sudo kiwi --loglevel 10 \
+         --kiwi-file container-base.kiwi \
+         system build \
+         --description ./base/images/container-base \
+         --target-dir ./base/out/images \
+         --add-repo="file:///$PWD/base/out,rpm-md,azl,1"
+
+    # Run a command in the container to verify.
+    xzcat ./base/out/images/azl4-container-base.x86_64-0.1.docker.tar.xz | docker load
+    docker run -it --rm microsoft/azurelinux/base/core:4.0 cat /etc/os-release
+}
+
+function build_vm_image() {
+    # Build the VM image using kiwi via azldev 
+    azldev image build vm-base --local-repo base/out
+}
+
+function boot_vm() {
+    # boot QEMU VM, C-a x to quit. VM port 22 is forwarded to host:2222
+    echo "Launching VM from image 'vm-base', type 'C-a x' to quit."
+    echo "Login as user/pass: 'test/${1}': ssh -p 8888 test@localhost"
+    azldev image boot vm-base --test-password "${1}"
+}
+
+if [[ "$image_type" == "container" ]] ; then
+    build_container_image
+elif [[ "$image_type" == "vm" || "$image_type" == "vm-boot" ]] ; then
+    # You may need this cleanup until azldev is fixed:
+    # sudo rm -rf $(git rev-parse --show-toplevel)/base/out/images
+    build_vm_image
+    if [[ "$image_type" == "vm-boot" ]] ; then
+	boot_vm "$(mktemp -u XXXXXX)"
+    fi
+else
+    echo "Unknown image type '$image_type'"
+fi