Firewalld

So I’ve been playing with Fedora Workstation and Server now for a bit and they seem to be great?! Never thought I’d say that, and I’m sure Fedora’s future 100% adoption of Wayland will make it a no-go, but until then, it works!

Out of the box Fedora uses firewalld and Cockpit has an integration with Firewalld, enabling you to manage or at least view your server’s firewall from a nice little web UI.

You can set up firewalld services with these XML files and a little bit of magic:

consul.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>consul</short>
  <description>Consul is a service mesh solution providing a full featured control plane with service discovery, configuration, and segmentation functionality.</description>
  <!-- DNS: The DNS server (TCP and UDP) -->
  <port protocol="tcp" port="8600"/>
  <port protocol="udp" port="8600"/>
  <!-- HTTP: The HTTP API (TCP Only) -->
  <port protocol="tcp" port="8500"/>
  <!--  HTTPS: The HTTPs API
  <port protocol="tcp" port="8501"/>
  -->
  <!--  gRPC: The gRPC API
  <port protocol="tcp" port="8502"/>
  -->
  <!--  LAN Serf: The Serf LAN port (TCP and UDP) -->
  <port protocol="tcp" port="8301"/>
  <port protocol="udp" port="8301"/>
  <!--  Server-only Wan Serf: The Serf WAN port (TCP and UDP) -->
  <port protocol="tcp" port="8302"/>
  <port protocol="udp" port="8302"/>
  <!--  server: Server RPC address (TCP Only) -->
  <port protocol="udp" port="8300"/>
  <!-- Sidecar Proxy
  <port protocol="tcp" port="21000-21255"/>
  -->
</service>

nomad.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>nomad</short>
  <description>Nomad makes it simple for services to register themselves and to discover other services via a DNS or HTTP interface. Register external services such as SaaS providers as well.</description>
  <!-- HTTP API -->
  <port protocol="tcp" port="4646"/>
  <!-- Internal Server/Client RPC -->
  <port protocol="tcp" port="4647"/>
  <!-- Server-only LAN/WAN Gossip -->
  <port protocol="tcp" port="4648"/>
  <port protocol="udp" port="4648"/>
</service>

Some combination of the following seems to have sort of worked:

sudo firewall-cmd --permanent --new-service-from-file=consul.xml --name consul
sudo firewall-cmd --permanent --new-service-from-file=nomad.xml --name nomad
sudo firewall-cmd --permanent --add-service consul
sudo firewall-cmd --permanent --add-service nomad
sudo firewall-cmd --reload

There’s documentation on DigitalOcean that might be helpful.

This is another little helpful fella:

`1`	`firewall-cmd --runtime-to-permanent`

You can also remove the rules like this:

# Remove from next reload
sudo firewall-cmd --permanent --remove-service nomad
sudo firewall-cmd --permanent --remove-service consul
# Delete the service from being usable
sudo firewall-cmd --permanent --delete-service nomad
sudo firewall-cmd --permanent --delete-service consul
# Delete just renames them to end with '.old'
sudo rm -rf /etc/firewalld/services/*.old

Setup Hashicorp tools:

1
2

sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
sudo dnf install consul nomad

Replacement for /etc/consul.d/consul.hcl:

Note: encrypt is sourced from a consul cli command.

datacenter = "localdev"
data_dir = "/opt/consul"
client_addr = "0.0.0.0"
ui = true
server = true
bootstrap_expect=1
encrypt = "$(consul keygen)"

Of course if you have docker installed on this host the above configuration might not work:

`1`	`Apr 12 22:27:56 dpdk consul[7205]: ==> Multiple private IPv4 addresses found. Please configure one with 'bind' and/or 'advertise'.`

you might need something a little more robust like this:

1
2

client_addr = "{{ GetPrivateIP }}"
bind_addr = "{{ GetPrivateIP }}"

The magic here is in go-sockaddr. If you want to get fancier, be sure to escape the double quotes in your configuration.

Replacement for /etc/nomad.d/nomad.hcl:

data_dir = "/opt/nomad/data"
bind_addr = "0.0.0.0"
server {
  enabled = true
  bootstrap_expect = 1
}

This removes the default client configuration, to add it back, just add this:

1
2
3

client {
  enabled = true
}

Enable them to work on boot:

sudo systemctl enable consul
sudo systemctl enable nomad
sudo systemctl start consul
sudo systemctl start nomad

Installing docker is easy:

sudo dnf config-manager \
    --add-repo \
    https://download.docker.com/linux/fedora/docker-ce.repo
sudo dnf install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
sudo systemctl enable docker

If you’re on a dev box you might want to add yourself to the docker group so you don’t have to sudo everything:

`1`	`sudo usermod -aG docker $(whoami)`

Anyways, that’s it for today. Next up should be wireguard and then some work on an Nomad EC2 auto scaler – whereby we’ll start to augment compute in our home with compute in AWS.