From 147c49babfa8607c47efe66e10e64e2bb9cd7684 Mon Sep 17 00:00:00 2001
From: James Lee <james@james.tl>
Date: Thu, 17 Feb 2022 18:16:29 -0500
Subject: [PATCH] containers: Reload podman network on firewalld reload

firewalld reload causes the podman network rules to be removed. It is
being tracked at https://github.com/containers/podman/issues/5431. In
the mean time, add a workaround service to rebuild the rules when
firewalld is started or reloaded.
---
 files/containers/podman-firewalld-reload.service | 14 ++++++++++++++
 manifests/base/containers.pp                     | 10 +++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 files/containers/podman-firewalld-reload.service

diff --git a/files/containers/podman-firewalld-reload.service b/files/containers/podman-firewalld-reload.service
new file mode 100644
index 00000000..9c8c444c
--- /dev/null
+++ b/files/containers/podman-firewalld-reload.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Redo podman NAT rules after firewalld starts or reloads
+Documentation=https://github.com/containers/podman/issues/5431
+Wants=dbus.service
+After=dbus.service
+
+[Service]
+Type=simple
+Environment=LC_CTYPE=C.utf8
+ExecStart=/bin/bash -c "dbus-monitor --profile --system 'type=signal,sender=org.freedesktop.DBus,path=/org/freedesktop/DBus,interface=org.freedesktop.DBus,member=NameAcquired,arg0=org.fedoraproject.FirewallD1' 'type=signal,path=/org/fedoraproject/FirewallD1,interface=org.fedoraproject.FirewallD1,member=Reloaded' | sed -u '/^#/d' | while read -r type timestamp serial sender destination path interface member _junk; do if [[ $type = '#'* ]]; then continue; elif [[ $interface = org.freedesktop.DBus && $member = NameAcquired ]]; then echo 'firewalld started'; podman network reload --all; elif [[ $interface = org.fedoraproject.FirewallD1 && $member = Reloaded ]]; then echo 'firewalld reloaded'; podman network reload --all; fi; done"
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/manifests/base/containers.pp b/manifests/base/containers.pp
index ea4cf506..d2454b87 100644
--- a/manifests/base/containers.pp
+++ b/manifests/base/containers.pp
@@ -56,11 +56,19 @@
       content => "[Service]\nDelegate=yes\n",
       notify  => Nest::Lib::Systemd_reload['containers'],
     ;
+
+    '/etc/systemd/system/podman-firewalld-reload.service':
+      source => 'puppet:///modules/nest/containers/podman-firewalld-reload.service',
+      notify  => Nest::Lib::Systemd_reload['containers'],
+    ;
   }
   ->
   nest::lib::systemd_reload { 'containers': }
   ->
-  service { 'podman.socket':
+  service { [
+    'podman.socket',
+    'podman-firewalld-reload',
+  ]:
     enable => true,
   }