Bug 1171114

Summary: Starting firewalld gives warning when cockpit is not installed
Product: [Fedora] Fedora Reporter: Roland Hermans <rolandh>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 28CC: alex, a.lloyd.flanagan, aravindh, aurelien, barry, bughunt, dominicpg, fahlmanc_ca, fedora, guido.aulisi, igeorgex, jbarnes, jobelandon, jpokorny, jpopelka, michael, mysqlstudent, nenadalm, paulo.fidalgo.pt, peter, pgier, phimart, pickeringw, prarit, prd-fedora, pstodulk, redhat, shulyaka, sjensen, stefw, stephenbryant, thib, twoerner, warlord, zr.zz.alp
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1408365 (view as bug list) Environment:
Last Closed: 2019-05-28 23:23:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roland Hermans 2014-12-05 11:32:49 UTC
Description of problem:
During the startup of firewalld a warning is logged when the cockpit package is not installed.

Version-Release number of selected component (if applicable):
firewalld-0.3.13-1.fc21.noarch
firewalld-config-workstation-0.3.13-1.fc21.noarch
firewalld-filesystem-0.3.13-1.fc21.noarch

How reproducible:
always

Steps to Reproduce:
1. Install Fedora 21 workstation
2. Boot system
3.

Actual results:
The following line is written to /var/log/firewalld when firewalld starts:
WARNING: FedoraServer: INVALID_SERVICE: cockpit

Expected results:
No warning

Additional info:
The cockpit service is referenced in file /usr/lib/firewalld/zones/FedoraServer.xml, which is part of the firewalld rpm. However the cockpit service is defined in /usr/lib/firewalld/services/cockpit.xml, which is part of the cockpit rpm. Perhaps the zone defined in FedoraServer.xml should only be installed on Fedora Server and not on Fedora Workstation?

Comment 1 Christian Stadelmann 2015-03-25 11:22:31 UTC
I can confirm this issue on F22 alpha.

Comment 2 Michael 2015-03-30 10:52:52 UTC
I can confirm this issue on (my) F21

Comment 3 valtestad 2015-04-20 10:48:56 UTC
confirmed on my F21 installation as well.

Comment 4 crf 2015-06-12 22:58:56 UTC
This affects my Fedora 22.

Comment 5 Derek Atkins 2015-09-12 00:39:24 UTC
I'm seeing this on Fedora-22 ARM

Comment 6 Fedora End Of Life 2015-11-04 10:33:27 UTC
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 7 Christian Stadelmann 2015-11-04 10:35:20 UTC
Still present on F23. Please change the product version.

Comment 8 Zirui Zhuang 2015-12-31 09:28:20 UTC
Still present on 23

It was discovered as the boot time of firewalld is strangely long, and after digging the log of firewalld, we have:

WARNING: FedoraServer: INVALID_SERVICE: cockpit

and the cockpit is not installed at all.

Comment 9 Alex Regan 2016-01-17 15:11:07 UTC
It appears that even though --list-services shows it's not there, it actually is. Use --remove-service=cockpit appears to fix it.

# firewall-cmd --list-services --zone=FedoraServer
dhcpv6-client ssh

# firewall-cmd --zone=FedoraServer --add-service=cockpit
Warning: ALREADY_ENABLED: cockpit

# firewall-cmd --zone=FedoraServer --remove-service=cockpit
success

Comment 10 aurelien 2016-03-13 08:18:35 UTC
--remove-service does not fit and send back another error

aurelien@bigfoot:/var/log$ sudo firewall-cmd --zone=FedoraWorkstation --remove-service=cockpit
Error: INVALID_SERVICE: cockpit
aurelien@bigfoot:/var/log$ sudo firewall-cmd --complete-reload
success
aurelien@bigfoot:/var/log$ sudo firewall-cmd --zone=FedoraWorkstation --remove-service=cockpit
Error: INVALID_SERVICE: cockpit
aurelien@bigfoot:/var/log$ sudo firewall-cmd --complete-reload
success
aurelien@bigfoot:/var/log$ uname -a
Linux bigfoot 4.4.4-301.fc23.x86_64 #1 SMP Fri Mar 4 17:42:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Comment 11 aurelien 2016-03-13 09:00:07 UTC
Same as root
# firewall-cmd --zone=FedoraWorkstation --remove-service=cockpit
Error: INVALID_SERVICE: cockpit

Comment 12 Steve Bryant 2016-04-17 11:48:06 UTC
firewalld-0.4.0-2.fc23.noarch provides file /usr/lib/firewalld/zones/FedoraServer.xml which contains the following service name definition:

    <service name="cockpit"/>

However the file /usr/lib/firewalld/services/cockpit.xml does not exist, so every firewall startup produces the error:

    "WARNING: FedoraServer: INVALID_SERVICE: cockpit"

WORKAROUND
----------
Create a file /usr/lib/firewalld/services/cockpit.xml containing the following (as extracted from cockpit-ws-0.96-1.fc23.x86_64.rpm):

<?xml version="1.0" encoding="utf-8"?>
<service>
  <!-- This is a firewalld service definition for Cockpit -->
  <short>Cockpit</short>
  <description>Cockpit lets you access and configure your server remotely.</description>
  <port protocol="tcp" port="9090"/>
</service>

Service "cockpit" is then also listed in the "Firewall Configuration" (firewall-config) application.

Comment 13 David Tonhofer 2016-07-31 07:44:37 UTC
Observing this in Fedora 24 Workstation.

firewalld-0.4.3.2-1.fc24.noarch

Please increase OS version.

Comment 14 Christian Stadelmann 2016-09-28 22:38:39 UTC
(In reply to David Tonhofer from comment #13)
> Observing this in Fedora 24 Workstation.
> 
> firewalld-0.4.3.2-1.fc24.noarch
> 
> Please increase OS version.

Still present on F25.

Comment 15 Fedora End Of Life 2016-11-24 11:19:24 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 16 Christian Stadelmann 2016-11-24 17:35:03 UTC
Please change version number to 25.

Comment 17 Jesse Barnes 2017-01-03 19:33:18 UTC
Still happens with latest F25 updates.  Confirmed that the workaround still works.

Comment 18 Fedora End Of Life 2017-02-28 09:39:07 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 19 Paul Gier 2017-03-15 03:11:17 UTC
Another workaround is to comment out the line
<!-- <service name="cockpit"/> -->

from the file:
/usr/lib/firewalld/zones/FedoraServer.xml

Comment 20 Prarit Bhargava 2017-03-22 11:54:38 UTC
Adding stefw (cockpit maintainer).

Stef and Thomas, 

I'm not sure who is responsible for this issue as it could require changes to both cockpit and firewalld.  The issue is that if firewalld is installed on a system without cockpit there is a several minute delay when shutting down the system.

The workaround (and IMO fix to firewalld) is to remove the cockpit entry from /usr/lib/firewalld/zones/FedoraServer.xml.  However, I suspect doing this would break cockpit.

Do either of you have a suggestion that might make this easier to fix?

Thanks,

P.

Comment 21 Prarit Bhargava 2017-03-22 11:55:16 UTC
See previous comment.

P.

Comment 22 Thomas Woerner 2017-03-30 14:05:47 UTC
The question is: Which service is needing the extra time to get stopped? If there is no cockpit installed, then there should be no one using and depending on this port.

Comment 23 Jan Pokorný [poki] 2017-03-30 17:09:20 UTC
Tangentially, I wonder what can be done about higher-level integration.

I mean, there's no need to have ports for ssh/cockpit/whatever
open statically all the time, only when you actually run sshd
or a cockpit daemon.  When you do so, you know you have the
respective package installed, which may also deliver the service
configuration file(s).  It looks to me that everything (rightfully)
moves in a direction of on-demand/event-based handling, but I am short
of ideas how to put the static and dynamic worlds together in
a coherent, manageable and safe (as we are talking about a security
measure) way.

Comment 24 Prarit Bhargava 2017-04-04 11:45:41 UTC
(In reply to Thomas Woerner from comment #22)
> The question is: Which service is needing the extra time to get stopped? If
> there is no cockpit installed, then there should be no one using and
> depending on this port.

AFAICT it is firewalld that is waiting.  It is (again AFAICT) waiting for some uninstalled cockpit script to return.

By *default* /usr/lib/firewalld/zones/FedoraServer.xml contains an entry for cockpit, even when cockpit has never been installed on the box.

P.

Comment 25 Thomas Woerner 2017-04-04 13:51:32 UTC
firewalld does not use any cockpit scripts. The only reference in firewalld configuration to cockpit is the FedoraServer zone file to enable the cockpit port in the firewall if the cockpit service file exists. If this file is not installed, then this is ignored with a warning.

If you see a message about firewalld waiting for some cockpit script, then please provide more information about this.

Please have a look at https://bugzilla.redhat.com/show_bug.cgi?id=1110711 why the cockpit service is enabled if the cockpit package is installed.

Comment 26 Christian Stadelmann 2017-04-04 14:14:50 UTC
(In reply to Prarit Bhargava from comment #24)
> […]

(In reply to Thomas Woerner from comment #25)
> firewalld does not use any cockpit scripts. The only reference in firewalld
> configuration to cockpit is the FedoraServer zone file to enable the cockpit
> port in the firewall if the cockpit service file exists. If this file is not
> installed, then this is ignored with a warning.
> 
> If you see a message about firewalld waiting for some cockpit script, then
> please provide more information about this.

This bug report is NOT about any scripts. Please have a look at comment #0. This bug report is about the fact that firewalld is printing a warning if cockpit is not installed.

(In reply to Roland Hermans from comment #0)
> WARNING: FedoraServer: INVALID_SERVICE: cockpit
> 
> […]
> Additional info:
> The cockpit service is referenced in file
> /usr/lib/firewalld/zones/FedoraServer.xml, which is part of the firewalld
> rpm. However the cockpit service is defined in
> /usr/lib/firewalld/services/cockpit.xml, which is part of the cockpit rpm.
> Perhaps the zone defined in FedoraServer.xml should only be installed on
> Fedora Server and not on Fedora Workstation?

Or the firewall zone XML file should be modular (e.g. being a directory like systctl.d is to sysctl.conf) so that the cockpit package can add itself to the FedoraServer firewall zone. At least the default config should not be shipped broken.

Comment 27 Aravindh Sampathkumar 2017-04-12 04:28:57 UTC
I hit the same error on a fresh install of Fedora 25 on Dell XPS 13 - 9350. During reboot, the system would be held up by "A stop job is running for firewalld - dynamic firewall daemon" and keeps increasing a timer to no end. 

This is a fresh install of F25 and I manually verified cockpit was not installed. 

I read this bug report and tried to comment out the reference to cockpit in 
/usr/lib/firewalld/zones/FedoraServer.xml as Paul Gier suggested above. This resolves the hold up. 

If cockpit is not installed by default in workstation release, then this config file reference should be removed.

Comment 28 Thomas Woerner 2017-04-18 11:35:29 UTC
(In reply to Aravindh Sampathkumar from comment #27)
> I hit the same error on a fresh install of Fedora 25 on Dell XPS 13 - 9350.
> During reboot, the system would be held up by "A stop job is running for
> firewalld - dynamic firewall daemon" and keeps increasing a timer to no end. 
> 
> This is a fresh install of F25 and I manually verified cockpit was not
> installed. 
> 
> I read this bug report and tried to comment out the reference to cockpit in 
> /usr/lib/firewalld/zones/FedoraServer.xml as Paul Gier suggested above. This
> resolves the hold up. 
> 
> If cockpit is not installed by default in workstation release, then this
> config file reference should be removed.

Could it be that you are using a Broadcom BCM43602 chip with the brcmfmac driver?

See https://bugzilla.redhat.com/show_bug.cgi?id=1397274#c9

Comment 29 Dominic P Geevarghese 2017-07-27 04:27:32 UTC
I am getting firewalld warning in a fresh F26 workstation box where I don't see cockpit installed as part of default package installation. 

firewalld[xxx]: WARNING: FedoraServer: INVALID_SERVICE: cockpit


/dominic

Comment 30 Paul DeStefano 2017-07-31 01:18:02 UTC
Hmm, I'm not seeing this any longer on updated F26.  The last time I see this error in the log is 2017.04.09.

Comment 31 Petr Stodulka 2017-10-09 12:06:34 UTC
Unfortunately, I see this still even on up-to-date F26 system. It is still actual issue.

Comment 32 Christian Stadelmann 2017-10-25 20:54:40 UTC
Still present on Fedora 27. Please update the product version.

(In reply to Thomas Woerner from comment #28)
> Could it be that you are using a Broadcom BCM43602 chip with the brcmfmac
> driver?
> 
> See https://bugzilla.redhat.com/show_bug.cgi?id=1397274#c9

No, this could not be. I'm using a iwlwifi based card by the way.

Comment 33 pmart12 2017-12-07 20:57:20 UTC
I can confirm : still present on F27

Comment 34 Paul DeStefano 2017-12-07 21:48:15 UTC
Hmm, I tried again and I don't see any errors.

* Go to Administration menu
* Click on "Firewall"
* Firewall Configuration starts, and asks me to authenticate
* After authentication, I can interact with the Firewall Configuration program

Cockpit is still not installed.  I don't remember taking any action to fix this.

Comment 35 Fedora End Of Life 2018-05-03 09:08:47 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 36 Barry Scott 2018-05-28 15:37:39 UTC
Present in F28 as well.

Another work around is to mask the bad file with one is /etc/firewalld.

cd /etc/firewalld/zones
ln -s Public.xml FedoraServer.xml

Of course this assume that you do not need a FedoraServer.xml

Comment 37 Fedora End Of Life 2018-05-29 11:35:54 UTC
Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26
is no longer maintained, which means that it will not receive any
further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 38 Landon Jobe 2018-06-09 19:28:14 UTC
Still experiencing in Fedora Workstation 28.

Comment 39 Landon Jobe 2018-06-09 19:28:51 UTC
Still experiencing in Fedora Workstation 28.

Comment 40 Eric Garver 2018-09-13 15:51:19 UTC
This has been fixed in f29. In newer firewalld 0.6.1 the cockpit service definition has been moved to firewalld.

Comment 41 Christian Stadelmann 2018-11-28 19:40:10 UTC
*** Bug 1487630 has been marked as a duplicate of this bug. ***

Comment 42 Ben Cotton 2019-05-02 20:12:42 UTC
This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 43 Ben Cotton 2019-05-28 23:23:26 UTC
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 44 Red Hat Bugzilla 2023-09-14 02:52:00 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days