Bug 1872759
| Summary: | fail2ban-shorewall requires change to include shorewall-lite or shorewall | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | William H. Haller <bill> |
| Component: | fail2ban | Assignee: | Richard Shaw <hobbes1069> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | anon.amish, axel.thimm, hobbes1069, orion, vonsch |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | fail2ban-0.11.1-10.fc34 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-28 11:50:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
William H. Haller
2020-08-26 15:04:02 UTC
I don't think rpm in EL 7 can handle this well. In Fedora (and EL 8 I *think*) we have Recommends: and Suggests: which might be one path to fix the problem, but no such options in EL 7. Looking and the provides of both packages: $ sudo repoquery --provides shorewall-lite config(shorewall-lite) = 5.1.10.2-1.el7 shorewall(firewall) = 5.1.10.2-1.el7 shorewall-lite = 5.1.10.2-1.el7 $ sudo repoquery --provides shorewall config(shorewall) = 5.1.10.2-1.el7 perl(Shorewall::ARP) = 5.0 perl(Shorewall::Accounting) = 5.1 perl(Shorewall::Chains) = 5.1 perl(Shorewall::Compiler) = 5.1 perl(Shorewall::Config) = 5.1 perl(Shorewall::IPAddrs) = 5.1 perl(Shorewall::Misc) = 5.1 perl(Shorewall::Nat) = 5.1 perl(Shorewall::Proc) = 4.6 perl(Shorewall::Providers) = 5.1 perl(Shorewall::Proxyarp) = 5.1 perl(Shorewall::Raw) = 5.0 perl(Shorewall::Rules) = 5.1 perl(Shorewall::Tc) = 5.1 perl(Shorewall::Tunnels) = 5.0 perl(Shorewall::Zones) = 5.1 shorewall = 5.1.10.2-1.el7 shorewall(firewall) = 5.1.10.2-1.el7 The only thing they have in common is "shorewall(firewall)". I think what we can do is I can change the requirement to that so that either package satisfies the dependency, however, I can't control which package yum chooses so I would suggest that you install shorewall-lite first and yum *SHOULD* accept that as meeting the requirements and not install shorewall. Testing on the epel7 test server it does pull in shorewall-lite by default, which I'm not thrilled about... $ sudo yum install "shorewall(firewall)" Loaded plugins: fastestmirror Determining fastest mirrors * base: d36uatko69830t.cloudfront.net * epel: mirrors.kernel.org * extras: d36uatko69830t.cloudfront.net * updates: d36uatko69830t.cloudfront.net Resolving Dependencies --> Running transaction check ---> Package shorewall-lite.noarch 0:5.1.10.2-1.el7 will be installed --> Processing Dependency: shorewall-core = 5.1.10.2-1.el7 for package: shorewall-lite-5.1.10.2-1.el7.noarch --> Running transaction check ---> Package shorewall-core.noarch 0:5.1.10.2-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================= Package Arch Version Repository Size ======================================================================================================================= Installing: shorewall-lite noarch 5.1.10.2-1.el7 epel 63 k Installing for dependencies: shorewall-core noarch 5.1.10.2-1.el7 epel 82 k Transaction Summary ======================================================================================================================= Install 1 Package (+1 Dependent package) I'll have to think about this. On Fedora EPEL 8 I can add a recommends for plain shorewall but can't do that on EL 7. Ok, different strategy. I created a fail2ban-shorewall-lite subpackage which conflicts with fail2ban-shorewall so only one or the other can be installed as they provide the same file. https://koji.fedoraproject.org/koji/taskinfo?taskID=50243307 You can download all the build artifacts for testing using: koji download-task 50243532 I think a separate fail2ban-shorewall-lite package would be a good approach if adding another package wasn't a problem for anyone. Not trying to make waves - but I think it would be a useful option. I'd think there would be more installs of shorewall-lite (for anyone who has a centralized firewall creation server) than shorewall. It would certainly be better than having do depend on randomness of yum/dnf or remember to not install shorewall first (especially for those like me that said why install shorewall and shorewall-lite and just deleted the shorewall package that wasn't needed in trying to keep virtual images as small as possible). Thanks for your time and I hope adding fail2ban-shorewall-lite passes the approval process. If you would, please test my scratch build before I do real builds. There's no approval process other than me. :) Hit a block. I'm running FC32 on the shorewall server, which doesn't satisfy python 3.9 for fail2ban-server and el7's python is only at 2.7.5-88. My fault, I assumed since it was a noarch package it really wouldn't matter but you do need EL 7 specific packages. https://koji.fedoraproject.org/koji/taskinfo?taskID=50261492 rpm -e --justdb fail2ban-shorewall followed by rpm -ivh fail2ban-shorewall-lite seemed to work fine. FYI, I would have suggested: yum swap fail2ban-shorewall fail2ban-shorewall-lite FEDORA-2020-3071e15f57 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |