openshift · openshift-merge-bot · Dec 10, 2024 · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024
diff --git a/docs/config/Containerfile.bootc-rhel9 b/docs/config/Containerfile.bootc-rhel9
@@ -21,8 +21,9 @@ RUN useradd -m -d /var/home/redhat -G wheel redhat && \
 # Mandatory firewall configuration
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
-    firewall-offline-cmd --zone=trusted --add-source=169.254.169.1
-# Application-specific firewall configuration
+    firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48
+    # Application-specific firewall configuration
 RUN firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=30000-32767/tcp && \

diff --git a/docs/contributor/network/host_networking.md b/docs/contributor/network/host_networking.md
@@ -330,11 +330,12 @@ Some ovn-kubernetes traffic needs to be explicitly allowed when `firewalld` serv
 - Pod to host
 - Pod to host service (kubernetes service backed by host endpoints)
 
-Insert and reload the following firewall rules to allow these ovn-kubernetes traffic:
+Insert and reload the following firewall rules to allow these ovn-kubernetes traffic (note the `clusterNetwork` must be added to the rules, this example shows defaults):
 
 ```text
 sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
 sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1
+sudo firewall-cmd --permanent --zone=trusted --add-source=fd01::/48
 sudo firewall-cmd --reload
 ```
 

diff --git a/docs/user/howto_firewall.md b/docs/user/howto_firewall.md
@@ -23,16 +23,19 @@ The following ports are optional and they should be considered for MicroShift if
 
 ## Firewalld
 The following commands can be used for enabling `firewalld` and opening all the above mentioned source IP addresses and ports.
-> Use the appropriate pod IP range if it is different from the default `10.42.0.0/16` setting.
+> Use the appropriate pod IPv4 range if it is different from the default `10.42.0.0/16` setting.
+> Use the appropriate pod IPv6 range if it is different from `fd01::/48`.
+> If you are not using IPv6 the corresponding rule is not enforced and does not have an impact in networking.
 
 > Use the appropriate optional settings when requiring external access to services running on MicroShift (e.g. port 6443 for api server, ports 80 and 443 for applications exposed through the router, mdns service for receiving mdns query etc.).
 
 ```bash
 sudo dnf install -y firewalld
 sudo systemctl enable firewalld --now
 # Mandatory settings
-sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16 
+sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
 sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1
+sudo firewall-cmd --permanent --zone=trusted --add-source=fd01::/48
 sudo firewall-cmd --reload
 # Optional settings
 sudo firewall-cmd --permanent --zone=public --add-port=80/tcp

diff --git a/scripts/devenv-builder/configure-vm.sh b/scripts/devenv-builder/configure-vm.sh
@@ -286,6 +286,7 @@ if ${BUILD_AND_RUN} || ${FORCE_FIREWALL}; then
     sudo systemctl enable firewalld --now
     sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
     sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1
+    sudo firewall-cmd --permanent --zone=trusted --add-source=fd01::/48
     sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
     sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
     sudo firewall-cmd --permanent --zone=public --add-port=5353/udp

diff --git a/test/bin/scenario.sh b/test/bin/scenario.sh
@@ -798,6 +798,7 @@ configure_vm_firewall() {
     # - On-host pod communication
     run_command_on_vm "${vmname}" "sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16"
     run_command_on_vm "${vmname}" "sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1"
+    run_command_on_vm "${vmname}" "sudo firewall-cmd --permanent --zone=trusted --add-source=fd01::/48"
 
     # Networking / firewall configuration instructions
     # - Incoming for the router

diff --git a/test/image-blueprints-bootc/layer1-base/group2/rhel94-bootc-crel-optionals.containerfile b/test/image-blueprints-bootc/layer1-base/group2/rhel94-bootc-crel-optionals.containerfile
@@ -23,6 +23,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/test/image-blueprints-bootc/layer1-base/group2/rhel94-bootc-crel.containerfile b/test/image-blueprints-bootc/layer1-base/group2/rhel94-bootc-crel.containerfile
@@ -21,6 +21,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/test/image-blueprints-bootc/layer1-base/group2/rhel94-bootc-prel.containerfile b/test/image-blueprints-bootc/layer1-base/group2/rhel94-bootc-prel.containerfile
@@ -21,6 +21,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/test/image-blueprints-bootc/layer2-source/group1/cos9-bootc-source.containerfile b/test/image-blueprints-bootc/layer2-source/group1/cos9-bootc-source.containerfile
@@ -29,6 +29,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/test/image-blueprints-bootc/layer2-source/group1/rhel94-bootc-source-base.containerfile b/test/image-blueprints-bootc/layer2-source/group1/rhel94-bootc-source-base.containerfile
@@ -29,6 +29,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/test/image-blueprints-bootc/layer2-source/group1/rhel94-bootc-source.containerfile b/test/image-blueprints-bootc/layer2-source/group1/rhel94-bootc-source.containerfile
@@ -29,6 +29,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/...prints-bootc/layer2-source/group2/rhel94-bootc-source-ostree-parent-yminus2.containerfile b/...prints-bootc/layer2-source/group2/rhel94-bootc-source-ostree-parent-yminus2.containerfile
@@ -36,6 +36,7 @@ RUN printf "\nMICROSHIFT_WAIT_TIMEOUT_SEC=600\n" >> /etc/greenboot/greenboot.con
 RUN firewall-offline-cmd --zone=public --add-port=22/tcp && \
     firewall-offline-cmd --zone=trusted --add-source=10.42.0.0/16 && \
     firewall-offline-cmd --zone=trusted --add-source=169.254.169.1 && \
+    firewall-offline-cmd --zone=trusted --add-source=fd01::/48 && \
     firewall-offline-cmd --zone=public --add-port=80/tcp && \
     firewall-offline-cmd --zone=public --add-port=443/tcp && \
     firewall-offline-cmd --zone=public --add-port=5353/udp && \

diff --git a/test/image-blueprints/layer1-base/group2/rhel94-microshift-yminus2.toml b/test/image-blueprints/layer1-base/group2/rhel94-microshift-yminus2.toml
@@ -50,7 +50,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer1-base/group3/rhel94-microshift-previous-minor.toml b/test/image-blueprints/layer1-base/group3/rhel94-microshift-previous-minor.toml
@@ -55,7 +55,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer1-base/group4/rhel94-crel-with-optionals.toml b/test/image-blueprints/layer1-base/group4/rhel94-crel-with-optionals.toml
@@ -66,7 +66,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer1-base/group4/rhel94-crel.toml b/test/image-blueprints/layer1-base/group4/rhel94-crel.toml
@@ -58,7 +58,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer2-presubmit/group1/rhel94-source-base.toml b/test/image-blueprints/layer2-presubmit/group1/rhel94-source-base.toml
@@ -46,7 +46,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer2-presubmit/group1/rhel94-source-fake-next-minor.toml b/test/image-blueprints/layer2-presubmit/group1/rhel94-source-fake-next-minor.toml
@@ -46,7 +46,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer2-presubmit/group1/rhel94-source-tuned.toml b/test/image-blueprints/layer2-presubmit/group1/rhel94-source-tuned.toml
@@ -50,7 +50,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer2-presubmit/group1/rhel94-source-with-optionals.toml b/test/image-blueprints/layer2-presubmit/group1/rhel94-source-with-optionals.toml
@@ -62,7 +62,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer2-presubmit/group1/rhel94-source.toml b/test/image-blueprints/layer2-presubmit/group1/rhel94-source.toml
@@ -50,7 +50,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Extend Greenboot wait timeout to 10m for MicroShift to be ready.
 # Greenboot configuration must come after RPM install to avoid

diff --git a/test/image-blueprints/layer3-periodic/group1/rhel94-source-isolated.toml b/test/image-blueprints/layer3-periodic/group1/rhel94-source-isolated.toml
@@ -52,7 +52,7 @@ enabled = ["mdns", "ssh", "http", "https"]
 
 [[customizations.firewall.zones]]
 name = "trusted"
-sources = ["10.42.0.0/16", "169.254.169.1"]
+sources = ["10.42.0.0/16", "169.254.169.1", "fd01::/48"]
 
 # Override the default qemu-ga service configuration on the guest to allow all RPCs.
 # BLOCK_RPCS is a deny-list of qemu-guest-agent RPCs to block, such as file read/write, process execution, etc. By