container: Assign virtual network interface to trusted firewall zone

If firewalld is running, the virtual network interface created by systemd-nspawn gets assigned to the home zone by default. Because of this, DHCP server is not availabe for the container and most of the incoming ports are closed. This commit assigns the network interface created by systemd-nspawn to the trusted network zone if firewalld is running, so that all network connections are accepted. Signed-off-by: Veiko Aasa veiko17@disroot.org Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
2026-01-21 07:55:00 +00:00 · 2020-10-05 13:53:49 +03:00 · 2020-10-05 13:53:49 +03:00 · 819520466a
commit 819520466a
parent 6bb5d34132
1 changed files with 6 additions and 0 deletions
--- a/6
+++ b/6
@ -480,6 +480,7 @@ def _setup_nm_connection(distribution):
        'connection.type': '802-3-ethernet',
        'connection.interface-name': _get_interface_name(distribution),
        'connection.autoconnect': 'yes',
+        'connection.zone': 'trusted',
        'ipv4.method': 'shared',
    }
    subprocess.run(['sudo', 'nmcli', 'connection', 'add'] +
@ -695,6 +696,11 @@ def _destroy(distribution):
    except FileNotFoundError:
        pass

+    connection_name = f'fbx-{distribution}-shared'
+    logger.info('Removing Network Manager connection %s', connection_name)
+    subprocess.run(['sudo', 'nmcli', 'connection', 'delete', connection_name],
+                   stdout=subprocess.DEVNULL)
+
    logger.info('Keeping downloaded image: %s',
                _get_compressed_image_path(distribution))