Hide Forgot
Created attachment 791435 [details] syslog Description of problem: After the installer DVD boots to the Welcome dialog, these messages from firewalld are in syslog: 16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall. 16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall. 16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server Version-Release number of selected component (if applicable): Fedora-20-Alpha-TC1-x86_64-DVD.iso How reproducible: Always. Steps to Reproduce: 1. Start installer from DVD: $ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC1-x86_64-DVD.iso -vga std -boot menu=on 2. Boot to Welcome dialog. 3. Switch to installer console (ctrl-alt-f2). 4. Examine /tmp/syslog. Actual results: ERR and CRIT messages from firewalld in /tmp/syslog. Expected results: No such messages in /tmp/syslog. Additional info: For the firewalld avcs, see: Bug 1002038 - avc: denied { write } for pid=639 comm="firewalld" name="python2.7" dev="dm-0" ino=66860 scontext=system_u:system_r:firewalld_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=dir
It seems that the iptables (and also ebtables) package is missing. Reassigning to distribution.
The installer's never been firewalled, unless I'm missing something. CC'ing some anaconda developers.
(In reply to Thomas Woerner from comment #1) > It seems that the iptables (and also ebtables) package is missing. > > Reassigning to distribution. The DVD does not have an RPM database, so it is not clear what ebtables files are missing, but /lib64/ebtables/ is populated and /sbin/ebtables* exist. What files are missing? For the record, firewalld.spec has an explicit requires for iptables and ebtables: Requires: iptables, ebtables http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/firewalld.spec#n28
(In reply to Steve Tyler from comment #3) ... > The DVD does not have an RPM database, so it is not clear what ebtables > files are missing, but /lib64/ebtables/ is populated and /sbin/ebtables* > exist. ... On the installer DVD, rpm returns a misleading error message: # rpm -q ebtables package ebtables is not installed In fact, there are no packages on the DVD: # rpm -q kernel foo package kernel is not installed package foo is not installed
Can you use ebtables and iptables in the the install image? Please try: ebtables -L iptables -L ip6tables -L There should be no error also in messages.
Created attachment 791971 [details] screenshot showing error messages from ebtables, iptables, ip6tables Procedure: Start installer DVD: $ qemu-kvm -m 4096 -hda f20-test-3.img -cdrom ~/xfr/fedora/F20/Alpha/Fedora-20-Alpha-TC2-x86_64-DVD.iso -vga std -boot menu=on Boot installer DVD to Welcome dialog. Switch to installer console (ctrl-alt-f2). The attached screenshot shows the exact error messages: # ebtables -L (modprobe: ERROR: ...) # iptables -L (command not found) # ip6tables -L (command not found)
Created attachment 791972 [details] dmesg-1.log with numerous avcs, including several for ebtables
Created attachment 791973 [details] syslog-1 (was /tmp/syslog) This may be redundant with dmesg-1.log, but I am attaching it for completeness.
Full text of the error messages:[1] # ebtables -L modprobe: ERROR: could not insert 'ebtables': Unknown symbol in module, or unknown parameter (see dmesg) The kernel doesn't support the ebtables 'filter' table. # iptables -L bash: iptables: command not found # ip6tables -L bash: ip6tables: command not found [1] The installer DVD doesn't have the "script" command, so these are manually assembled from the standard error output: # ebtables -L 2> x1.log # iptables -L 2>> x1.log # ip6tables -L 2>> x1.log
The firewalld errors are expected due to missing iptables and ip6tables commands.
If they are expected, then the ERR and CRIT messages messages should not be logged. Unless, of course, you want to receive more bug reports like this one ... :-) 16:29:59,857 ERR firewalld: 2013-08-27 16:29:59 ERROR: ebtables not usable, disabling ethernet bridge firewall. 16:29:59,875 CRIT firewalld: 2013-08-27 16:29:59 FATAL ERROR: No IPv4 and IPv6 firewall. 16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in run_server
(In reply to Steve Tyler from comment #11) ... > 16:29:59,876 ERR firewalld: 2013-08-27 16:29:59 ERROR: Raising SystemExit in > run_server Does this mean firewalld is exiting? If firewalld cannot run without ebtables, iptables, and ip6tables, it should be removed from the DVD, or ebtables, iptables, and ip6tables should be fully and correctly installed. Bill: This looks like a lorax problem, since the firewalld package already requires iptables and ebtables (Comment 3, last sentence).
Yes, firewalld is exiting if there if the iptables and ip6tables commands are missing. They are essential. There are three choices: 1) Add at least the iptables and ip6tables commands (ebtables is optional as long as libvirt is not used) 2) Remove firewalld from the install image 3) Do not start the firewalld service (similar to 2))
I'm still circling back to the original question - is firewalling *of the installation* expected, and expected to work? If not, the fix is likely to just drop things such that the error messages go away.
(In reply to Bill Nottingham from comment #14) > I'm still circling back to the original question - is firewalling *of the > installation* expected, and expected to work? > > If not, the fix is likely to just drop things such that the error messages > go away. That's a good question, but there is no NEEDINFO on this bug ...
(In reply to Thomas Woerner from comment #13) > Yes, firewalld is exiting if there if the iptables and ip6tables commands > are missing. They are essential. ... Thanks for your clarification. That is very helpful. lorax is removing iptables: ... ## various other things we remove to save space ... removepkg genisoimage gnome-python2 info iptables ... https://git.fedorahosted.org/cgit/lorax.git/tree/share/runtime-cleanup.tmpl?h=f19-branch#n54 Evidently lorax doesn't do any dependency checking ... Changing component to lorax.
Install images have never had an active firewall. Added removal of firewalld from the installroot so that the errors won't cause confusion.
Is there any reason you couldn't put firewalld in alphabetical order like all of the other package names? remove firewalld from installroot (#1002195) https://git.fedorahosted.org/cgit/lorax.git/commit/?id=1a47e68c448d56cc5ffa7ddb988c7534219bb7e8