introduce firewall stage (#61)

as described in lorax documentation, we need to support raw ports/protocols and services as defined by firewalld: https://weldr.io/lorax/lorax-composer.html#customizations-firewall
2019-08-07 09:34:22 +02:00 · 2019-08-07 09:34:22 +02:00 · dc1466eeca
commit dc1466eeca
parent 9371eb9eaa
3 changed files with 89 additions and 2 deletions
--- a/stages/org.osbuild.firewall
+++ b/stages/org.osbuild.firewall
@ -0,0 +1,31 @@
+#!/usr/bin/python3
+
+import json
+import subprocess
+import sys
+
+
+def main(tree, options):
+    # Takes a list of <port|application protocol>:<transport protocol> pairs
+    ports = options["ports"]
+    # These must be defined for firewalld. It has a set of pre-defined services here: /usr/lib/firewalld/services/, but
+    # you can also define you own XML files in /etc/firewalld.
+    enabled_services = options["enabled_services"]
+    disabled_services = options["disabled_services"]
+
+    # firewall-offline-cmd does not implement --root option so we must chroot it
+    subprocess.run(["chroot",
+                    tree,
+                    "firewall-offline-cmd"] +
+                   list(map(lambda x: f"--port={x}", ports)) +
+                   list(map(lambda x: f"--service={x}", enabled_services)) +
+                   list(map(lambda x: f"--remove-service={x}", disabled_services)),
+                   check=True)
+
+    return 0
+
+
+if __name__ == '__main__':
+    args = json.load(sys.stdin)
+    r = main(args["tree"], args["options"])
+    sys.exit(r)