Bug 1259864

Summary: firewall rules in kickstart script are overwritten due to lokkit -f call in /usr/lib/python2.6/site-packages/imgcreate/kickstart.py
Product: [Fedora] Fedora EPEL Reporter: Richard Clark <richard>
Component: livecd-toolsAssignee: Brian Lane <bcl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: bcl, katzj, metherid, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: livecd-tools-13.4.9 livecd-tools-13.4.9-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-04 22:55:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch lokkit call to not overwrite none

Description Richard Clark 2015-09-03 16:41:40 UTC
Created attachment 1069991 [details]
patch lokkit call to not overwrite

Description of problem: When creating an image using a kickstart script, using the standard notation (e.g: firewall --enabled --service ssh), the iptables config file (/etc/sysconfig/iptables) in the resulting image does not contain the ssh rule. It appears that this is overwritten by lokkit, and our "correct" configuration file gets written to /etc/sysconfig/iptables.old

There appear to be several fedora-related bugs, such as https://bugzilla.redhat.com/show_bug.cgi?id=769457

Version-Release number of selected component (if applicable): python-imgcreate-13.4.8-1

There is an older patch in the EL6 spec added in 2012 that removes the "-f" switch from lokkit being called in context of updating the firewall - only thing I can think of is that for some reason newer versions imgcreate is now running lokkit for selinux  _after_ the firewall has been configured, so overwriting firewall config.

Attached patch is basically the same as the older one, but removes the "-f" switch from lokkit in context of updating selinux config.

Comment 1 Brian Lane 2015-09-08 17:04:11 UTC
*** Bug 1259862 has been marked as a duplicate of this bug. ***

Comment 2 Brian Lane 2015-09-08 17:10:41 UTC
Looks like this needs commit d00a4d83188fbc911bd55954a2011c91b650128f

Comment 3 Fedora Update System 2015-11-11 01:31:25 UTC
livecd-tools-13.4.9-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-b5ec93dc2b

Comment 4 Fedora Update System 2015-11-11 19:17:20 UTC
livecd-tools-13.4.9-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update livecd-tools'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-b5ec93dc2b

Comment 5 Fedora Update System 2016-02-04 22:55:48 UTC
livecd-tools-13.4.9-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.