Bug 746213

Summary: kickstart firewall rules get overridden in /etc/sysconfig/iptables
Product: [Fedora] Fedora Reporter: Tim Coote <tim+redhat.com>
Component: livecd-toolsAssignee: Brian Lane <bcl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: adam.stokes, bcl, bruno, dhuff, Jasper.Hartline, katzj
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-21 22:14:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tim Coote 2011-10-14 11:27:34 UTC 
Description of problem:
firewall rules in kickstart get created by livecd-creator, but then mv'd to /etc/sysconfig/iptables.old and a vanilla set of rules installed.

Digging in the source, I think that the problem could be due to a -f flag in the call to lokkit:
args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"] # line 177 of /usr/lib/python2.7/site-packages/imgcreate/kickstart.py

If I cut that "-f", out of the elements list, the process works as expected. Note that args is set this way in two places. Could be be a copy and paste problem?

Version-Release number of selected component (if applicable):
livecd-tools-15.7-1.fc15.i686

How reproducible:
consistently on a 32bit vm under f15


Steps to Reproduce:
1.starting with a stock fedora-live-base.ks, update the firewall line to:
firewall --enabled --service=ssh

2. run livecd-creator -c fedora-livecd-desktop.ks (ensuring that it's using the updated version of the files
3. either spin up the cd or look at the filesystem
  
Actual results:
 and note that /etc/sysconfig/iptables.old is what you'd expect /etc/sysconfig/iptables to be. ssh is not let through the installed /etc/sysconfig/iptables.

Expected results:
/etc/sysconfig/iptables should include a rule to allow external connections on port 22.


Additional info:
Comment 1 Brian Lane 2011-12-21 22:14:02 UTC 
Thanks, it ends up the lokkit call gets called in 2 places, and the 2nd one always wins due to the -f flag.

*** This bug has been marked as a duplicate of bug 769457 ***