Bug 1002195 - FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD boot
FATAL ERROR: No IPv4 and IPv6 firewall. during installer DVD boot
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: lorax (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Bill Nottingham
Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-28 11:22 EDT by Steve Tyler
Modified: 2016-02-09 12:36 EST (History)
9 users (show)

See Also:
Fixed In Version: lorax-20.0-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-29 15:39:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
syslog (66.53 KB, text/plain)
2013-08-28 11:22 EDT, Steve Tyler
no flags Details
screenshot showing error messages from ebtables, iptables, ip6tables (13.32 KB, image/png)
2013-08-29 18:23 EDT, Steve Tyler
no flags Details
dmesg-1.log with numerous avcs, including several for ebtables (42.34 KB, text/plain)
2013-08-29 18:30 EDT, Steve Tyler
no flags Details
syslog-1 (was /tmp/syslog) (70.66 KB, text/plain)
2013-08-29 18:35 EDT, Steve Tyler
no flags Details

  None (edit)
Description Steve Tyler 2013-08-28 11:22:21 EDT
Created attachment 791435 [details]
syslog

Description of problem:
After the installer DVD boots to the Welcome dialog, these messages from firewalld are in syslog:

16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall.
16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall.
16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server

Version-Release number of selected component (if applicable):
Fedora-20-Alpha-TC1-x86_64-DVD.iso

How reproducible:
Always.

Steps to Reproduce:
1. Start installer from DVD:
$ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC1-x86_64-DVD.iso -vga std -boot menu=on

2. Boot to Welcome dialog.
3. Switch to installer console (ctrl-alt-f2).
4. Examine /tmp/syslog.

Actual results:
ERR and CRIT messages from firewalld in /tmp/syslog.

Expected results:
No such messages in /tmp/syslog.

Additional info:
For the firewalld avcs, see:
Bug 1002038 - avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
Comment 1 Thomas Woerner 2013-08-28 12:12:43 EDT
It seems that the iptables (and also ebtables) package is missing.

Reassigning to distribution.
Comment 2 Bill Nottingham 2013-08-28 13:42:30 EDT
The installer's never been firewalled, unless I'm missing something. CC'ing some anaconda developers.
Comment 3 Steve Tyler 2013-08-28 23:23:14 EDT
(In reply to Thomas Woerner from comment #1)
> It seems that the iptables (and also ebtables) package is missing.
> 
> Reassigning to distribution.

The DVD does not have an RPM database, so it is not clear what ebtables files are missing, but /lib64/ebtables/ is populated and /sbin/ebtables* exist.

What files are missing?

For the record, firewalld.spec has an explicit requires for iptables and ebtables:
Requires: iptables, ebtables
http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/firewalld.spec#n28
Comment 4 Steve Tyler 2013-08-28 23:39:30 EDT
(In reply to Steve Tyler from comment #3)
...
> The DVD does not have an RPM database, so it is not clear what ebtables
> files are missing, but /lib64/ebtables/ is populated and /sbin/ebtables*
> exist.
...

On the installer DVD, rpm returns a misleading error message:
# rpm -q ebtables
package ebtables is not installed

In fact, there are no packages on the DVD:
# rpm -q kernel foo
package kernel is not installed
package foo is not installed
Comment 5 Thomas Woerner 2013-08-29 06:35:28 EDT
Can you use ebtables and iptables in the the install image?

Please try:

 ebtables -L
 iptables -L
 ip6tables -L

There should be no error also in messages.
Comment 6 Steve Tyler 2013-08-29 18:23:47 EDT
Created attachment 791971 [details]
screenshot showing error messages from ebtables, iptables, ip6tables

Procedure:
Start installer DVD:
$ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC2-x86_64-DVD.iso -vga std -boot menu=on

Boot installer DVD to Welcome dialog.
Switch to installer console (ctrl-alt-f2).

The attached screenshot shows the exact error messages:
# ebtables -L (modprobe: ERROR: ...)
# iptables -L (command not found)
# ip6tables -L (command not found)
Comment 7 Steve Tyler 2013-08-29 18:30:00 EDT
Created attachment 791972 [details]
dmesg-1.log with numerous avcs, including several for ebtables
Comment 8 Steve Tyler 2013-08-29 18:35:17 EDT
Created attachment 791973 [details]
syslog-1 (was /tmp/syslog)

This may be redundant with dmesg-1.log, but I am attaching it for completeness.
Comment 9 Steve Tyler 2013-08-29 18:54:53 EDT
Full text of the error messages:[1]

# ebtables -L
modprobe: ERROR: could not insert 'ebtables': Unknown symbol in module, or unknown parameter (see dmesg)
The kernel doesn't support the ebtables 'filter' table.

# iptables -L
bash: iptables: command not found

# ip6tables -L
bash: ip6tables: command not found

[1] The installer DVD doesn't have the "script" command, so these are manually assembled from the standard error output:
# ebtables -L 2> x1.log
# iptables -L 2>> x1.log
# ip6tables -L 2>> x1.log
Comment 10 Thomas Woerner 2013-09-03 06:46:41 EDT
The firewalld errors are expected due to missing iptables and ip6tables commands.
Comment 11 Steve Tyler 2013-09-03 09:06:28 EDT
If they are expected, then the ERR and CRIT messages messages should not be logged. Unless, of course, you want to receive more bug reports like this one ... :-)

16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall.
16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall.
16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server
Comment 12 Steve Tyler 2013-09-03 09:17:20 EDT
(In reply to Steve Tyler from comment #11)
...
> 16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in
> run_server

Does this mean firewalld is exiting?

If firewalld cannot run without ebtables, iptables, and ip6tables, it should be removed from the DVD, or ebtables, iptables, and ip6tables should be fully and correctly installed.

Bill: This looks like a lorax problem, since the firewalld package already requires iptables and ebtables (Comment 3, last sentence).
Comment 13 Thomas Woerner 2013-09-03 09:30:13 EDT
Yes, firewalld is exiting if there if the iptables and ip6tables commands are missing. They are essential.

There are three choices:
1) Add at least the iptables and ip6tables commands (ebtables is optional as long as libvirt is not used)
2) Remove firewalld from the install image
3) Do not start the firewalld service (similar to 2))
Comment 14 Bill Nottingham 2013-09-03 10:20:39 EDT
I'm still circling back to the original question - is firewalling *of the installation* expected, and expected to work?

If not, the fix is likely to just drop things such that the error messages go away.
Comment 15 Steve Tyler 2013-09-03 10:49:35 EDT
(In reply to Bill Nottingham from comment #14)
> I'm still circling back to the original question - is firewalling *of the
> installation* expected, and expected to work?
> 
> If not, the fix is likely to just drop things such that the error messages
> go away.

That's a good question, but there is no NEEDINFO on this bug ...
Comment 16 Steve Tyler 2013-09-03 11:58:40 EDT
(In reply to Thomas Woerner from comment #13)
> Yes, firewalld is exiting if there if the iptables and ip6tables commands
> are missing. They are essential.
...

Thanks for your clarification. That is very helpful.

lorax is removing iptables:

...
## various other things we remove to save space
...
removepkg genisoimage gnome-python2 info iptables
...

https://git.fedorahosted.org/cgit/lorax.git/tree/share/runtime-cleanup.tmpl?h=f19-branch#n54

Evidently lorax doesn't do any dependency checking ...

Changing component to lorax.
Comment 17 Brian Lane 2013-09-03 13:15:20 EDT
Install images have never had an active firewall. Added removal of firewalld from the installroot so that the errors won't cause confusion.
Comment 18 Steve Tyler 2013-09-03 14:34:03 EDT
Is there any reason you couldn't put firewalld in alphabetical order like all of the other package names?

remove firewalld from installroot (#1002195)
https://git.fedorahosted.org/cgit/lorax.git/commit/?id=1a47e68c448d56cc5ffa7ddb988c7534219bb7e8

Note You need to log in before you can comment on or make changes to this bug.