Bug 1094911 - iptables: script and/or trigger should not directly enable systemd units
Summary: iptables: script and/or trigger should not directly enable systemd units
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: autoenabled-systemd-units
TreeView+ depends on / blocked
 
Reported: 2014-05-06 17:19 UTC by Andy Lutomirski
Modified: 2023-09-14 02:07 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-04-13 15:07:31 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Andy Lutomirski 2014-05-06 17:19:40 UTC 
My query script thinks that iptables has a script or trigger that directly enables a systemd unit using 'systemctl enable'.  It probably should not.  Please update this packages to use the macroized scriptlet (https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Systemd).

If your package has an exception from FESCo permitting it to enable
itself, please make sure that the service in question is listed in the
appropriate preset file.

There is a general exception described here:

https://fedoraproject.org/wiki/Starting_services_by_default

If your package falls under the general exception, then it is possible
that no change is required.  Nevertheless, if you are relying on the
exception, please make sure that your rpm scripts are sensible.  The
exception is:

In addition, any service which does not remain persistent on the system (aka, it "runs once then goes away"), does not listen to incoming connections during initialization, and does not require configuration to be functional may be enabled by default (but is not required to do so). An example of "runs once then goes away" service is iptables.

Given that this issue can affect Fedora 20 users who install your
package as a dependency, this bug should be fixed in Fedora 20 and
Rawhide.
Comment 1 Jaroslav Reznik 2015-03-03 15:46:26 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 2 Thomas Woerner 2016-04-13 14:56:20 UTC 
The systemd services are only part of the iptables-services sub package, which is not installed by default and only installed if people want to use the old static firewall model.

There is no systemctl enable or systemctl try-restart call.
Comment 3 Thomas Woerner 2016-04-13 15:00:41 UTC 
There is only 

%postun services
%systemd_postun_with_restart iptables.service ip6tables.service

Is this enabling the services or only restarting if they have been started before?
Comment 4 Thomas Woerner 2016-04-13 15:07:31 UTC 
From macros.systemd:

%systemd_postun_with_restart() \
systemctl daemon-reload >/dev/null 2>&1 || : \
if [ $1 -ge 1 ] ; then \
        # Package upgrade, not uninstall \
        systemctl try-restart %{?*} >/dev/null 2>&1 || : \
fi \
%{nil}

From systemctl man page:
       try-restart PATTERN...
           Restart one or more units specified on the command line if the
           units are running. This does nothing if units are not running. Note
           that, for compatibility with Red Hat init scripts, condrestart is
           equivalent to this command.

Therefore %systemd_postun_with_restart should not enable the services if they have not been enabled before.

If there are no further changes required this bug can be closed.
Comment 5 Red Hat Bugzilla 2023-09-14 02:07:25 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.