Add required firewall configuration in post-networking RPM stage

[ggiguash]

Test when firewalld is DOWN (sudo -i)

# systemctl is-active firewalld.service 
inactive
# firewall-offline-cmd --zone=trusted --list-sources

# systemctl is-active --quiet firewalld || firewall-offline-cmd -q --zone=trusted --add-source=10.42.0.0/16
# systemctl is-active --quiet firewalld && firewall-cmd         -q --zone=trusted --add-source=10.42.0.0/16
# firewall-offline-cmd --zone=trusted --list-sources
10.42.0.0/16

Test when firewalld is UP (sudo -i)

# systemctl is-active firewalld.service 
active
# firewall-cmd --zone=trusted --list-sources

# systemctl is-active --quiet firewalld || firewall-offline-cmd -q --zone=trusted --add-source=10.42.0.0/16
# systemctl is-active --quiet firewalld && firewall-cmd         -q --zone=trusted --add-source=10.42.0.0/16
# firewall-cmd --zone=trusted --list-sources
10.42.0.0/16

Closes USHIFT-245

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ggiguash]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zshi-redhat]

Should we expect customized cluster IP range?

[ggiguash]

Can we extract this information from somewhere?

[ggiguash]

/hold

[fzdarsky]

@ggiguash, so far we've deliberately avoided making firewall and similar security-impacting changes to the OS "under the hood" by the RPM installation scripts (or MicroShift FTM). The reason is we thought it a best-practice that sys admins should consciously and selectively open up their systems.

To @zshi-redhat's point: The problem is the ClusterCIDR is a runtime configuration parameters (https://github.com/openshift/microshift/blob/main/pkg/config/config.go#L97) and therefore there's no way to reliably add a rule at installation-time.

I understand the intention is to eliminate a common source of error; would it maybe make more sense to add some form of validation at MicroShift startup instead? Like "ERROR: You've configured a ClusterCIDR of 10.42.0.0/16, but didn't open the firewall ports."

[openshift-ci]

@ggiguash: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.