Bug 1094911

Summary:	iptables: script and/or trigger should not directly enable systemd units
Product:	[Fedora] Fedora	Reporter:	Andy Lutomirski <luto>
Component:	iptables	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	22	CC:	jpopelka, luto, twoerner
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-04-13 15:07:31 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1090684

Description Andy Lutomirski 2014-05-06 17:19:40 UTC

My query script thinks that iptables has a script or trigger that directly enables a systemd unit using 'systemctl enable'.  It probably should not.  Please update this packages to use the macroized scriptlet (https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd).

If your package has an exception from FESCo permitting it to enable
itself, please make sure that the service in question is listed in the
appropriate preset file.

There is a general exception described here:

https://fedoraproject.org/wiki/Starting_services_by_default

If your package falls under the general exception, then it is possible
that no change is required.  Nevertheless, if you are relying on the
exception, please make sure that your rpm scripts are sensible.  The
exception is:

In addition, any service which does not remain persistent on the system (aka, it "runs once then goes away"), does not listen to incoming connections during initialization, and does not require configuration to be functional may be enabled by default (but is not required to do so). An example of "runs once then goes away" service is iptables.

Given that this issue can affect Fedora 20 users who install your
package as a dependency, this bug should be fixed in Fedora 20 and
Rawhide.

Comment 1 Jaroslav Reznik 2015-03-03 15:46:26 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 2 Thomas Woerner 2016-04-13 14:56:20 UTC

The systemd services are only part of the iptables-services sub package, which is not installed by default and only installed if people want to use the old static firewall model.

There is no systemctl enable or systemctl try-restart call.

Comment 3 Thomas Woerner 2016-04-13 15:00:41 UTC

There is only 

%postun services
%systemd_postun_with_restart iptables.service ip6tables.service

Is this enabling the services or only restarting if they have been started before?

Comment 4 Thomas Woerner 2016-04-13 15:07:31 UTC

From macros.systemd:

%systemd_postun_with_restart() \
systemctl daemon-reload >/dev/null 2>&1 || : \
if [ $1 -ge 1 ] ; then \
        # Package upgrade, not uninstall \
        systemctl try-restart %{?*} >/dev/null 2>&1 || : \
fi \
%{nil}

From systemctl man page:
       try-restart PATTERN...
           Restart one or more units specified on the command line if the
           units are running. This does nothing if units are not running. Note
           that, for compatibility with Red Hat init scripts, condrestart is
           equivalent to this command.

Therefore %systemd_postun_with_restart should not enable the services if they have not been enabled before.

If there are no further changes required this bug can be closed.

Comment 5 Red Hat Bugzilla 2023-09-14 02:07:25 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days