Bug 1148399

Summary: puppet must not attempt to remove firewalld
Product: [Community] RDO Reporter: Martin Magr <mmagr>
Component: openstack-puppet-modulesAssignee: Martin Magr <mmagr>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: apevec, lbezdick, mmagr, stoner, whayutin, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-puppet-modules-2014.2.1-0.5.fc22 openstack-packstack-2014.2-0.4.dev1266.g63d9c50.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-27 19:58:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Magr 2014-10-01 11:46:47 UTC 
Description of problem:
Running Packstack Juno on Fedora 20 attemtps to remove firewalld package. THis attempt fails because 'rpm -e' is used instead of 'yum remove'. We should either stop the effort of removing the package or use yum instead

Version-Release number of selected component (if applicable):
openstack-packstack-2014.2-0.2.dev1266.g63d9c50.fc22.noarch
openstack-puppet-modules-2014.2-0.3.fc22.noarch


Additional info:
^[[1;31mWarning: Config file /etc/puppet/hiera.yaml not found, using Hiera defaults^[[0m
^[[mNotice: Compiled catalog for localhost.localdomain in environment production in 0.85 seconds^[[0m
^[[1;31mError: Execution of '/usr/bin/rpm -e firewalld-0.3.11-3.fc20.noarch' returned 1: error: Failed dependencies:
        firewalld >= 0.3.5-1 is needed by (installed) anaconda-20.25.16-1.fc20.x86_64
        firewalld = 0.3.11-3.fc20 is needed by (installed) firewall-config-0.3.11-3.fc20.noarch
^[[0m
^[[1;31mError: /Stage[main]/Firewall::Linux::Redhat/Package[firewalld]/ensure: change from 0.3.11-3.fc20 to absent failed: Execution of '/usr/bin/rpm -e firewalld-0.3.11-3.fc20.noarch' returned 1: error: Failed dependencies:
        firewalld >= 0.3.5-1 is needed by (installed) anaconda-20.25.16-1.fc20.x86_64
        firewalld = 0.3.11-3.fc20 is needed by (installed) firewall-config-0.3.11-3.fc20.noarch
^[[0m
^[[mNotice: /Stage[main]/Firewall::Linux::Redhat/Package[iptables-services]: Dependency Package[firewalld] has failures: true^[[0m
^[[1;31mWarning: /Stage[main]/Firewall::Linux::Redhat/Package[iptables-services]: Skipping because of failed dependencies^[[0m
^[[mNotice: /Stage[main]/Firewall::Linux::Redhat/File[/etc/sysconfig/iptables]/ensure: created^[[0m
^[[mNotice: /Stage[main]/Main/Service[firewalld]/ensure: ensure changed 'running' to 'stopped'^[[0m
^[[mNotice: /Stage[main]/Firewall::Linux::Redhat/Service[iptables]: Dependency Package[firewalld] has failures: true^[[0m
^[[1;31mWarning: /Stage[main]/Firewall::Linux::Redhat/Service[iptables]: Skipping because of failed dependencies^[[0m
^[[mNotice: Finished catalog run in 0.90 seconds^[[0m
Comment 1 Ivan Chavero 2014-10-03 00:13:47 UTC 
the only place in which the firewalld package is removed is in the class firewall::linux::redhat from the firewall puppet module which AFAIK is not used by packstack (there are no puppet manifests that include this class).

this does not happen in the latest openstack-packstack-2014.2-0.3.dev1266.g63d9c50.fc22 

yum install -y https://repos.fedorapeople.org/repos/openstack/openstack-juno/rdo-release-juno-1.noarch.rpm
yum install -y yum-fastestmirror yum-presto deltarpm
yum update -y
setenforce permissive
yum install -y openstack-packstack
packstack -S packstack /usr/bin/packstack -d --allinone

can you reproduce it using this?
Comment 2 Martin Magr 2014-10-03 14:43:17 UTC 
Puppet class that you mentioned is indeed used via ::firewall class [1]. Considerin that Lukas is going to implement firewalld support to the module, the class ::firewall::linux::redhat should be fixed in the process.

[1] https://github.com/stackforge/packstack/blob/master/packstack/puppet/templates/prescript.pp#L1
Comment 3 Alan Pevec 2014-10-23 18:58:11 UTC 
*** Bug 1148426 has been marked as a duplicate of this bug. ***
Comment 4 Alan Pevec 2014-10-23 19:07:56 UTC 
> can you reproduce it using this?

You need to have firewall-config or some other package depending on firewalld installed to trigger this.

FWIW I've proposed https://github.com/puppetlabs/puppetlabs-firewall/pull/425
but that fails on a Puppet core bug, which remains unfixed even in the latest Puppet.

Lukas, how and when is this going to be fixed as a part of the work Martin mentioned in the comment 2 ?
Comment 5 Alan Pevec 2014-10-23 20:05:10 UTC 
If there are no better suggestions, I'll include PR 425 patch in RDO Juno openstack-puppet-modules.
Comment 6 Martin Magr 2014-10-24 07:48:59 UTC 
TBH I don't think firewalld package should be uninstalled. If more packages will start to depend on it, we could end up in state where needed packages will be removed together with firewalld.

I created PR [1] with just disabling and stopping forewalld service which worked for us in Packstack without any issue.

[1] https://github.com/puppetlabs/puppetlabs-firewall/pull/426/
Comment 7 Alan Pevec 2014-10-24 10:29:38 UTC 
ack

Please, pretty please, build opm with 426 patch!
This is RDO Juno Fedora blocker.
Comment 8 Alan Pevec 2014-10-24 17:14:05 UTC 
http://pkgs.fedoraproject.org/cgit/openstack-puppet-modules.git/commit/?id=221ceb7428d3b891926ea057e44618ac6086a607
Comment 9 Alan Pevec 2014-10-24 20:54:33 UTC 
> External Bug ID: OpenStack gerrit 130809

This is the patch for Packstack, required once opm includes puppet-firewall with patch #426.
Otherwise:
Error: Duplicate declaration: Service[firewalld] is already declared in file /var/tmp/packstack/5fb56c595b7f4f9a99c35bce7722b4d3/modules/firewall/manifests/linux/redhat.pp:29; cannot redeclare at /var/tmp/packstack/5fb56c595b7f4f9a99c35bce7722b4d3/manifests/192.168.150.166_prescript.pp:30