Bug 1171114
Summary: | Starting firewalld gives warning when cockpit is not installed | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Roland Hermans <rolandh> | |
Component: | firewalld | Assignee: | Eric Garver <egarver> | |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | low | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 28 | CC: | alex, a.lloyd.flanagan, aravindh, aurelien, barry, bughunt, dominicpg, fahlmanc_ca, fedora, guido.aulisi, igeorgex, jbarnes, jobelandon, jpokorny, jpopelka, michael, mysqlstudent, nenadalm, paulo.fidalgo.pt, peter, pgier, phimart, pickeringw, prarit, prd-fedora, pstodulk, redhat, shulyaka, sjensen, stefw, stephenbryant, thib, twoerner, warlord, zr.zz.alp | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1408365 (view as bug list) | Environment: | ||
Last Closed: | 2019-05-28 23:23:26 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Roland Hermans
2014-12-05 11:32:49 UTC
I can confirm this issue on F22 alpha. I can confirm this issue on (my) F21 confirmed on my F21 installation as well. This affects my Fedora 22. I'm seeing this on Fedora-22 ARM This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Still present on F23. Please change the product version. Still present on 23 It was discovered as the boot time of firewalld is strangely long, and after digging the log of firewalld, we have: WARNING: FedoraServer: INVALID_SERVICE: cockpit and the cockpit is not installed at all. It appears that even though --list-services shows it's not there, it actually is. Use --remove-service=cockpit appears to fix it. # firewall-cmd --list-services --zone=FedoraServer dhcpv6-client ssh # firewall-cmd --zone=FedoraServer --add-service=cockpit Warning: ALREADY_ENABLED: cockpit # firewall-cmd --zone=FedoraServer --remove-service=cockpit success --remove-service does not fit and send back another error aurelien@bigfoot:/var/log$ sudo firewall-cmd --zone=FedoraWorkstation --remove-service=cockpit Error: INVALID_SERVICE: cockpit aurelien@bigfoot:/var/log$ sudo firewall-cmd --complete-reload success aurelien@bigfoot:/var/log$ sudo firewall-cmd --zone=FedoraWorkstation --remove-service=cockpit Error: INVALID_SERVICE: cockpit aurelien@bigfoot:/var/log$ sudo firewall-cmd --complete-reload success aurelien@bigfoot:/var/log$ uname -a Linux bigfoot 4.4.4-301.fc23.x86_64 #1 SMP Fri Mar 4 17:42:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux Same as root # firewall-cmd --zone=FedoraWorkstation --remove-service=cockpit Error: INVALID_SERVICE: cockpit firewalld-0.4.0-2.fc23.noarch provides file /usr/lib/firewalld/zones/FedoraServer.xml which contains the following service name definition: <service name="cockpit"/> However the file /usr/lib/firewalld/services/cockpit.xml does not exist, so every firewall startup produces the error: "WARNING: FedoraServer: INVALID_SERVICE: cockpit" WORKAROUND ---------- Create a file /usr/lib/firewalld/services/cockpit.xml containing the following (as extracted from cockpit-ws-0.96-1.fc23.x86_64.rpm): <?xml version="1.0" encoding="utf-8"?> <service> <!-- This is a firewalld service definition for Cockpit --> <short>Cockpit</short> <description>Cockpit lets you access and configure your server remotely.</description> <port protocol="tcp" port="9090"/> </service> Service "cockpit" is then also listed in the "Firewall Configuration" (firewall-config) application. Observing this in Fedora 24 Workstation. firewalld-0.4.3.2-1.fc24.noarch Please increase OS version. (In reply to David Tonhofer from comment #13) > Observing this in Fedora 24 Workstation. > > firewalld-0.4.3.2-1.fc24.noarch > > Please increase OS version. Still present on F25. This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Please change version number to 25. Still happens with latest F25 updates. Confirmed that the workaround still works. This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. Another workaround is to comment out the line <!-- <service name="cockpit"/> --> from the file: /usr/lib/firewalld/zones/FedoraServer.xml Adding stefw (cockpit maintainer). Stef and Thomas, I'm not sure who is responsible for this issue as it could require changes to both cockpit and firewalld. The issue is that if firewalld is installed on a system without cockpit there is a several minute delay when shutting down the system. The workaround (and IMO fix to firewalld) is to remove the cockpit entry from /usr/lib/firewalld/zones/FedoraServer.xml. However, I suspect doing this would break cockpit. Do either of you have a suggestion that might make this easier to fix? Thanks, P. See previous comment. P. The question is: Which service is needing the extra time to get stopped? If there is no cockpit installed, then there should be no one using and depending on this port. Tangentially, I wonder what can be done about higher-level integration. I mean, there's no need to have ports for ssh/cockpit/whatever open statically all the time, only when you actually run sshd or a cockpit daemon. When you do so, you know you have the respective package installed, which may also deliver the service configuration file(s). It looks to me that everything (rightfully) moves in a direction of on-demand/event-based handling, but I am short of ideas how to put the static and dynamic worlds together in a coherent, manageable and safe (as we are talking about a security measure) way. (In reply to Thomas Woerner from comment #22) > The question is: Which service is needing the extra time to get stopped? If > there is no cockpit installed, then there should be no one using and > depending on this port. AFAICT it is firewalld that is waiting. It is (again AFAICT) waiting for some uninstalled cockpit script to return. By *default* /usr/lib/firewalld/zones/FedoraServer.xml contains an entry for cockpit, even when cockpit has never been installed on the box. P. firewalld does not use any cockpit scripts. The only reference in firewalld configuration to cockpit is the FedoraServer zone file to enable the cockpit port in the firewall if the cockpit service file exists. If this file is not installed, then this is ignored with a warning. If you see a message about firewalld waiting for some cockpit script, then please provide more information about this. Please have a look at https://bugzilla.redhat.com/show_bug.cgi?id=1110711 why the cockpit service is enabled if the cockpit package is installed. (In reply to Prarit Bhargava from comment #24) > […] (In reply to Thomas Woerner from comment #25) > firewalld does not use any cockpit scripts. The only reference in firewalld > configuration to cockpit is the FedoraServer zone file to enable the cockpit > port in the firewall if the cockpit service file exists. If this file is not > installed, then this is ignored with a warning. > > If you see a message about firewalld waiting for some cockpit script, then > please provide more information about this. This bug report is NOT about any scripts. Please have a look at comment #0. This bug report is about the fact that firewalld is printing a warning if cockpit is not installed. (In reply to Roland Hermans from comment #0) > WARNING: FedoraServer: INVALID_SERVICE: cockpit > > […] > Additional info: > The cockpit service is referenced in file > /usr/lib/firewalld/zones/FedoraServer.xml, which is part of the firewalld > rpm. However the cockpit service is defined in > /usr/lib/firewalld/services/cockpit.xml, which is part of the cockpit rpm. > Perhaps the zone defined in FedoraServer.xml should only be installed on > Fedora Server and not on Fedora Workstation? Or the firewall zone XML file should be modular (e.g. being a directory like systctl.d is to sysctl.conf) so that the cockpit package can add itself to the FedoraServer firewall zone. At least the default config should not be shipped broken. I hit the same error on a fresh install of Fedora 25 on Dell XPS 13 - 9350. During reboot, the system would be held up by "A stop job is running for firewalld - dynamic firewall daemon" and keeps increasing a timer to no end. This is a fresh install of F25 and I manually verified cockpit was not installed. I read this bug report and tried to comment out the reference to cockpit in /usr/lib/firewalld/zones/FedoraServer.xml as Paul Gier suggested above. This resolves the hold up. If cockpit is not installed by default in workstation release, then this config file reference should be removed. (In reply to Aravindh Sampathkumar from comment #27) > I hit the same error on a fresh install of Fedora 25 on Dell XPS 13 - 9350. > During reboot, the system would be held up by "A stop job is running for > firewalld - dynamic firewall daemon" and keeps increasing a timer to no end. > > This is a fresh install of F25 and I manually verified cockpit was not > installed. > > I read this bug report and tried to comment out the reference to cockpit in > /usr/lib/firewalld/zones/FedoraServer.xml as Paul Gier suggested above. This > resolves the hold up. > > If cockpit is not installed by default in workstation release, then this > config file reference should be removed. Could it be that you are using a Broadcom BCM43602 chip with the brcmfmac driver? See https://bugzilla.redhat.com/show_bug.cgi?id=1397274#c9 I am getting firewalld warning in a fresh F26 workstation box where I don't see cockpit installed as part of default package installation. firewalld[xxx]: WARNING: FedoraServer: INVALID_SERVICE: cockpit /dominic Hmm, I'm not seeing this any longer on updated F26. The last time I see this error in the log is 2017.04.09. Unfortunately, I see this still even on up-to-date F26 system. It is still actual issue. Still present on Fedora 27. Please update the product version. (In reply to Thomas Woerner from comment #28) > Could it be that you are using a Broadcom BCM43602 chip with the brcmfmac > driver? > > See https://bugzilla.redhat.com/show_bug.cgi?id=1397274#c9 No, this could not be. I'm using a iwlwifi based card by the way. I can confirm : still present on F27 Hmm, I tried again and I don't see any errors. * Go to Administration menu * Click on "Firewall" * Firewall Configuration starts, and asks me to authenticate * After authentication, I can interact with the Firewall Configuration program Cockpit is still not installed. I don't remember taking any action to fix this. This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Present in F28 as well. Another work around is to mask the bad file with one is /etc/firewalld. cd /etc/firewalld/zones ln -s Public.xml FedoraServer.xml Of course this assume that you do not need a FedoraServer.xml Fedora 26 changed to end-of-life (EOL) status on 2018-05-29. Fedora 26 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Still experiencing in Fedora Workstation 28. Still experiencing in Fedora Workstation 28. This has been fixed in f29. In newer firewalld 0.6.1 the cockpit service definition has been moved to firewalld. *** Bug 1487630 has been marked as a duplicate of this bug. *** This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |