Bug 1004976

Summary: RFE: firewall kickstart command which does not require firewalld
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: anaconda-maint-list, bcl, clumens, g.kaviyarasu, jonathan, ricardo.arguello, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-29 20:35:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 752665    

Description Matthew Miller 2013-09-05 22:34:47 UTC 
This is a continuation of bug #815540 except I'm trying to be less alarmist and also less whiny. :)

I'm trying to use create-appliance to build lightweight images. I'd even like to eventually do this with anaconda itself. There are some other ways to do this, but there are advantages to using a real installer as well.

Because this is a container environment, it doesn't need to be running any firewall. However,

 firewall --disaabled

results in failure with

 Unable to run ['/usr/bin/firewall-offline-cmd', '--disabled']!

Could this either be made to not do anything, or a new parameter like "firewall --ignore" be added? 

With the cloud kickstart image, we chose to put workarounds in the %post script. With the container (which may not even have yum), the workarounds get really crazy. We could come up with some new lightweight appliance creation tool, but really, I'd like there to be _more_ convergence here, not less.
Comment 1 Brian Lane 2013-09-05 23:48:48 UTC 
The reason why it raises the error is that in the case where you want to be sure the firewall is disabled you'd like to know if that disable failed. Although I guess it could be argued that if the tool is missing odds are it's going to be disabled.

Why not just remove the firewall command from your kickstart?

Also, you really should be using livemedia-creator ;)
Comment 2 Matthew Miller 2013-09-06 01:28:31 UTC 
(In reply to Brian C. Lane from comment #1)
> The reason why it raises the error is that in the case where you want to be
> sure the firewall is disabled you'd like to know if that disable failed.
> Although I guess it could be argued that if the tool is missing odds are
> it's going to be disabled.
> 
> Why not just remove the firewall command from your kickstart?

Well, in appliance-creator at least, absence of the firewall line is treated as if you gave 'firewall --enabled'.

I see the point of having the error raised for failed disabled; maybe a separate parameter like "firewall --ignore" for this case? Or, make the missing line mean that, but people might be expecting the missing=default=enable behavior.

> Also, you really should be using livemedia-creator ;)

Well, the idea right now is to make it work with something that is already in koji.
Comment 3 Fedora Update System 2013-09-25 16:04:15 UTC 
anaconda-20.20-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/anaconda-20.20-1.fc20
Comment 4 Matthew Miller 2013-09-25 22:57:59 UTC 
Awesome -- thank you!
Comment 5 Fedora Update System 2013-09-27 00:32:22 UTC 
Package anaconda-20.20-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-20.20-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17681/anaconda-20.20-1.fc20
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-09-28 01:17:11 UTC 
anaconda-20.21-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/anaconda-20.21-1.fc20
Comment 7 Brian Lane 2013-10-02 17:32:31 UTC 
*** Bug 884878 has been marked as a duplicate of this bug. ***
Comment 8 Chris Lumens 2014-04-01 14:51:38 UTC 
Don't mind me - just moving this to the component that includes the fix so I don't confuse myself again later on.