Bug 1067147

Summary: Race condition with firewalld.service resulting in host inaccessible
Product: [Fedora] Fedora Reporter: Vladislav Grigoryev <vg.aetera>
Component: fail2banAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 20CC: Axel.Thimm, jonathan.underwood, jpopelka, orion, twoerner, vg.aetera, vonsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fail2ban-0.9-2.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-24 23:29:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
System log none

Description Vladislav Grigoryev 2014-02-19 19:45:25 UTC 
Description of problem:
firewalld doesn't respect iptables locks and fails to load default set of rules resulting in host inaccessible.

Version-Release number of selected component (if applicable):
firewalld-0.3.9.3-1.fc20.noarch

How reproducible:
Occasionally.

Steps to Reproduce:
1. Fedora 20 minimal server netinstall.
2. Firewalld with default set of rules, SSH-service is allowed.
3. Reboot.

Actual results:
Error loading default set of rules, rejecting SSH-connections.

Client log:
$ ssh root@server
ssh: connect to host server port 22: No route to host

Server log:
# LANG=C journalctl --no-pager -lu firewalld.service
-- Reboot --
Feb 15 18:59:18 srv6.kola.fad.ru systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 15 18:59:19 srv6.kola.fad.ru systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -I FWDI_public 2 -t filter -j FWDI_public_deny' failed: iptables: Resource temporarily unavailable.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -X FWDI_public -t filter' failed: iptables: Directory not empty.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -D FWDI_public 1 -t filter -j FWDI_public_log' failed: iptables v1.4.19.1: Illegal option `-j' with this command
                                                 
                                                 Try `iptables -h' or 'iptables --help' for more information.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: COMMAND_FAILED: '/sbin/iptables -I FWDI_public 2 -t filter -j FWDI_public_deny' failed: iptables: Resource temporarily unavailable.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: COMMAND_FAILED: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists.
Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: COMMAND_FAILED: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists.
Comment 1 Thomas Woerner 2014-02-20 15:35:25 UTC 
What is locking netfilter in this machine?
Comment 2 Vladislav Grigoryev 2014-02-21 01:10:44 UTC 
Created attachment 865768 [details]
System log

Full system log after reboot:
# LANG=C journalctl -l --since '2014-02-15 18:59:19' --until '2014-02-15 19:00:00' >journal-20140215.log
Comment 3 Thomas Woerner 2014-02-21 10:07:34 UTC 
There are two services adding firewall rules at the same time. This results in both services failing. I would suggest to add "After: firewalld.service" to the fail2ban service. Then this will not happen.

Having two or more services adding firewall rules at the same time is not a good idea at all. You do not know what the result will be in the end.
Comment 4 Jiri Popelka 2014-02-21 10:15:02 UTC 
(In reply to ArcFi from comment #0)
> '...' failed: iptables: Resource temporarily unavailable.

I've also seen this from time to time - in some pre-releases of Fedora.
Comment 5 Vladislav Grigoryev 2014-02-21 11:44:36 UTC 
(In reply to Thomas Woerner from comment #3)
> I would suggest to add "After: firewalld.service"
> to the fail2ban service.
Thanks. Looks like that resolves the issue.

Reassign to fail2ban package and rename to "Race condition with firewalld.service"?
Comment 6 Fedora Update System 2014-05-14 21:31:49 UTC 
fail2ban-0.9-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/fail2ban-0.9-2.fc20
Comment 7 Fedora Update System 2014-05-16 10:09:03 UTC 
Package fail2ban-0.9-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing fail2ban-0.9-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6419/fail2ban-0.9-2.fc20
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2014-05-24 23:29:40 UTC 
fail2ban-0.9-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.