Bug 2224648

Summary: fix: reload on resetting to defaults
Product: Red Hat Enterprise Linux 8 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: unspecified Docs Contact: Gabi Fialová <gfialova>
Priority: unspecified    
Version: 8.9CC: djez, gfialova, jharuda, lmanasko, rhel-cs-system-management-subsystem-qe, spetrosi, vdanek
Target Milestone: rcKeywords: Triaged
Target Release: 8.9Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:firewall
Fixed In Version: rhel-system-roles-1.22.0-1.el8 Doc Type: Enhancement
Doc Text:
.Resetting the `firewall` RHEL System Role configuration now requires minimal downtime Previously, when you reset the `firewall` role configuration by using the `previous: replaced` variable, the `firewalld` service restarted. Restarting adds downtime and prolongs the period of an open connection in which `firewalld` does not block traffic from active connections. With this enhancement, the `firewalld` service completes the configuration reset by reloading instead of restarting. Reloading minimizes the downtime and reduces the opportunity to bypass firewall rules. As a result, using the `previous: replaced` variable to reset the `firewall` role configuration now requires minimal downtime.
 Story Points: ---
Clone Of: 2223764 Environment:
Last Closed: 2023-11-14 15:31:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2223764    
Bug Blocks:    

Description Rich Megginson 2023-07-21 18:51:16 UTC 
+++ This bug was initially created as a clone of Bug #2223764 +++

Enhancement:
Make resetting to defaults reload instead of restart firewalld

Reason:
Reloading in firewalld should successfully complete the configuration reset, restarting adds downtime

Result:
Minimal downtime when using previous: replaced

Addresses an issue brought up in https://github.com/linux-system-roles/firewall/issues/140 , where due to the restart on resetting to defaults, the feature may not be suitable for production environments.
see https://github.com/linux-system-roles/firewall/pull/159
Comment 10 errata-xmlrpc 2023-11-14 15:31:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:6946
Comment 11 Red Hat Bugzilla 2024-03-14 04:26:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days