[Firehol-support] CoreOS and Firehol
Phil Whineray
phil at sanewall.org
Thu Aug 20 07:27:00 BST 2015
Hi Rudy
On Thu, Aug 20, 2015 at 12:13:06PM +0800, Rudi wrote:
> Does Firehol work well with CoreOS?
I haven't tried this but maybe someone else will have.
> I'm currently moving all my Ubuntu applications into Docker, but Firehol
> still runs non-containerized.
>
> Wondering if this is going to play out OK with CoreOS.
Well, if you were to containerise FireHOL, the netfilter rules it
generates would apply only in the container in question, which is
almost certainly not what you want.
> Any feedback and/or tips/links on this would be greatly appreciated.
Linux containers work by creating namespaces for various things. The
network namespace is the one relevant to FireHOL.
I recently added a tool to trunk, vnetbuild, which allows you to
create an interconnected set of network namespaces, using virtual
network devices and bridges, to mimic a real network. The best
starting resource is probably still this LWN article:
https://lwn.net/Articles/580893/
I beleive that Docker et al. all do something similar, to allow
the containers to communicate with each other and the outside world.
If CoreOS tries to manage netfilter rules between the containers this
might interfere with FireHOL, so you might want to do some extra research
or just give it a go on a safe network and see how it behaves.
Hope that helps
Phil
More information about the Firehol-support
mailing list