Firewalld not installed in latest generic

Hi folks,

For our cloud init based installations we use the AlmaLinux-8-GenericCloud-UEFI-latest.x86_64.qcow2 image at https://vault.almalinux.org/8.6/cloud/x86_64/images/.

I noticed that this seems to come without firewalld installed though usually it’s installed and enabled by default.

Is this working as intended? Just wanted to check before we install/enable it ourselves in our cloud init installations.

I don’t know the answer.

I have used an OpenStack-based cloud where the OpenStack creates firewall rules into the host for the VMs. Likewise, one can add rules with libvirt. Since these rules are on the hypervisor, outside of the VM, nothing in the VM can modify them. Naturally, firewall within VM can be set to be more strict in order to deny traffic that the hypervisor allows. However, if the hypervisor does have firewall option and if it is sufficient, then second firewall within the VM is waste of CPU cycles.

If majority of clouds are like the one that I have used, then the default of “none” is sensible for image. “Less is more.

Thanks for the reaction Jlehtone. In this case the hypervisor environment is separated from the VMs. The customers have the freedom to do what they want with their VMs (up to a point ofc), including setting up their firewall.

We do want to follow the standards for the operating systems that we offer. If AlmaLinux is supposed to come with Firewalld, we do want to offer them that and are happy to add it ourselves to our cloud init installations if required. If AlmaLinux is supposed to come without Firewalld, that’s also all fine by us.

Either way the image and the AlmaLinux documentation don’t match up. Also, it confused at least some of our customers, hence why I’m checking.

The default, “normal”, install does indeed deploy FirewallD. The firewalld.service in its packages is enabled by default and has everything in ‘public’ zone. In other words, only ssh, cockpit, and dhcpv6-client incoming connections are allowed and everything else is rejected in freshly installed system. Furthermore, ssh to ‘root’ requires ssh-keypair which the install does not deploy (unless one does use ‘kickstart’ to automate installation).

The cloud image is not a result of running the normal installer. It has some set of packages. Among them is cloud-init that is not part of any normal install. With that you can configure the VM from get go – supply customizations on creation of the VM.


The default is to have relatively “closed” firewall. (Some other distros might be even more strict and not even run sshd.)

The documentation is primarily for/about the “normal install”. The cloud images are, IMHO[1], a convenience for VMs, which are on hypervisors that support cloud-init.

[1] Opinion based on limited experience/knowledge.