Bug 1381135

Summary: [FC28] otopi fails to detect firewalld if python2-firewall is not available
Product: [oVirt] otopi Reporter: Sandro Bonazzola <sbonazzo>
Component: Plugins.networkAssignee: Gal Zaidman <gzaidman>
Status: CLOSED UPSTREAM QA Contact: Lukas Svaty <lsvaty>
Severity: high Docs Contact: Rolfe Dlugy-Hegwer <rdlugyhe>
Priority: high    
Version: masterCC: bugs, didi, gzaidman, lsvaty, nsoffer, pkovar, rdlugyhe, sbonazzo, ylavi
Target Milestone: ovirt-4.3.0Flags: rule-engine: ovirt-4.3+
Target Release: 1.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: otopi-1.8.0_beta1 Doc Type: Bug Fix
Doc Text:
Previously, in Fedora 24 and above, OTOPI did not detect firewalld and produced a "No firewalld python module" log entry. The current release fixes this issue.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-16 08:03:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1460625    
Attachments:
Description Flags
host deploy log showing the error none

Description Sandro Bonazzola 2016-10-03 08:35:15 UTC
Description of problem:
In fedora 24, python3 is used by default in most of the system commands.
In particular firewall-cmd is now runing on python3 so python2-firewall is not installed by default.

A possible solution is to check if python3-firewall is installed in an early stage and install python2-firewall as required package if missing in such case.

As alternative we need to document this as known issue.

Comment 1 Yedidyah Bar David 2018-05-14 09:05:36 UTC
otopi only uses firewalld's python api/code for a single thing - to check the installed version. Everything else is done by running 'firewall-cmd'.

We can change the code to run 'firewall-cmd --version' also for this.

Current bug, though, should not be relevant anymore, because we recently changed otopi to use python3 by default, see bug 1316950.

Comment 2 Sandro Bonazzola 2018-06-22 06:29:09 UTC
From https://lists.ovirt.org/archives/list/devel@ovirt.org/message/OP2EBYDWSKIPFVNXSTL6QTTKYNJFBPEA/

Next failure is in TASK [ovirt-host-deploy-firewalld : Enable SSH port] 
unsupported version of firewalld, requires >= 0.2.11

# rpm -q firewalld
firewalld-0.5.2-2.fc28.noarch

Obviously the complain is incorrect, "0.5.2" > "0.2.11".


Moving back to assigned.

Comment 3 Nir Soffer 2018-06-22 14:03:03 UTC
Created attachment 1453737 [details]
host deploy log showing the error

Comment 4 Yedidyah Bar David 2018-07-01 08:49:06 UTC
(In reply to Sandro Bonazzola from comment #2)
> From
> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/
> OP2EBYDWSKIPFVNXSTL6QTTKYNJFBPEA/
> 
> Next failure is in TASK [ovirt-host-deploy-firewalld : Enable SSH port] 
> unsupported version of firewalld, requires >= 0.2.11

I believe this error message is from ansible [1], not from otopi. Please open a new bug for this.

[1] https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/firewalld.py#L296

> 
> # rpm -q firewalld
> firewalld-0.5.2-2.fc28.noarch
> 
> Obviously the complain is incorrect, "0.5.2" > "0.2.11".
> 
> 
> Moving back to assigned.

Comment 5 Sandro Bonazzola 2018-07-02 06:18:59 UTC
(In reply to Yedidyah Bar David from comment #4)

> I believe this error message is from ansible [1], not from otopi. Please
> open a new bug for this.

Opened bug #1597121, thanks!

Comment 6 Rolfe Dlugy-Hegwer 2019-01-17 16:30:29 UTC
I've copyedited the content in Doc Text. Please review and confirm.

Comment 7 Sandro Bonazzola 2019-01-18 08:24:45 UTC
(In reply to Rolfe Dlugy-Hegwer from comment #6)
> I've copyedited the content in Doc Text. Please review and confirm.

Redirecting to Gal

Comment 8 Yedidyah Bar David 2019-01-20 09:13:25 UTC
I do not think we really need to mention this bug in the release notes.

It's enough to say that fedora is still not supported, although there is some good progress. No need to mention each and every relevant bug.

Comment 9 Rolfe Dlugy-Hegwer 2019-01-21 12:23:47 UTC
Thanks Gal and Yedidyah. I've updated the Doc Text to, I hope, correctly reflect your feedback.

I've diminished the importance of this BZ (bz#1381135) by setting its Doc Type field to Known Issue. 

The Status of bz#1316950 (OTOPI should use python3 interpreter on Fedora) is POST for 4.3. I'm new here, so I'm not sure how that affects bz#1381135. Therefore, I've kept the Doc Text content above as minimal as possible. 

Please review the updated Doc Text and feel free to suggest further changes.

Comment 10 Gal Zaidman 2019-01-21 12:54:44 UTC
I have to say that I agree with Yedidyah, I don't think that bug needs to be mentioned in the release notes, since fedora is not supported yet.

but if we insist on having it, I think that we need to change the Doc Text , I don't agree with the line:
"To work around this issue, install the python2-firewall package."
because that is what needed to be done **before** the fix to workaround the issue, currently the issue is prevented.

currently, the user doesn't need to workaround that issue, and if we want to stick with the CCWR as in the Bugzilla docs:

https://bugzilla.redhat.com/page.cgi?id=fields.html#cf_release_notes

Cause:
In Fedora 24 and above, python3 is used by default in most of the system commands.
In particular firewall-cmd is now runing on python3 so python2-firewall is not installed by default.
OTOPI runs on python2 by default therefore and import python3-firewall

Consequence:
produces a "No firewalld python module" log entry.

Workaround:
use python3-firewallfrom the cli

Result:
no restrictions

Comment 11 Rolfe Dlugy-Hegwer 2019-01-21 15:13:52 UTC
Thank you both. I'll suppress the release note for this BZ by marking it as NOTABUG. This means that we will NOT be following the previous recommendation to say "that fedora is still not supported".

Comment 12 Petr Kovar 2019-01-21 15:49:06 UTC
(In reply to Rolfe Dlugy-Hegwer from comment #11)
> Thank you both. I'll suppress the release note for this BZ by marking it as
> NOTABUG. This means that we will NOT be following the previous
> recommendation to say "that fedora is still not supported".

The correct way to do this is to set the requires_doc_text flag to "-".