Bug 1355949 – sosrepoert can not collect config information under /etc/firewalld

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1355949 - sosrepoert can not collect config information under /etc/firewalld

Summary:	sosrepoert can not collect config information under /etc/firewalld

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sos (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	All Linux

Priority	unspecified Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Pavel Moravec
QA Contact:	Anna Khaitovich
Docs Contact:

URL:	https://github.com/sosreport/sos/pull...
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-07-13 02:43 EDT by Zeng Yiquan
Modified:	2017-08-01 19:08 EDT (History)
CC List:	10 users (show)

See Also:
Fixed In Version:	sos-3.4-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 19:08:12 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2203	normal	SHIPPED_LIVE	sos bug fix and enhancement update	2017-08-01 15:41:56 EDT

Groups: None (edit)

Description Zeng Yiquan 2016-07-13 02:43:28 EDT

Description of problem:

sosrepoert can not collect all config files that under /etc/firewalld
only collect the firewalld.conf file and the "zones" directory.
but when cu use the direct.xml and so on.
we can not check their configuration and reproduce their issue.

Version-Release number of selected component (if applicable):


How reproducible:use firewall-cmd command to config direct rule then use sosreport to collect the system information.

Actual results:

there are only the firewalld.conf file and the "zones" directory in sosreport.

Expected results:

it should collect all the information that below /etc/firewalld.

Additional info:

Comment 1 Pavel Moravec 2016-07-13 03:05:23 EDT

> it should collect all the information that below /etc/firewalld.

Isn't /etc/firewalld/*xml sufficient (additionally to the currently collected configs)? As far as I understand, firewalld takes configuration just from those files, and ignores e.g. /etc/firewalld/direct.xml.old .

Thanks for clarification.

Comment 3 Zeng Yiquan 2016-07-13 21:39:38 EDT

(In reply to Pavel Moravec from comment #1)
> > it should collect all the information that below /etc/firewalld.
> 
> Isn't /etc/firewalld/*xml sufficient (additionally to the currently
> collected configs)? As far as I understand, firewalld takes configuration
> just from those files, and ignores e.g. /etc/firewalld/direct.xml.old .
> 
> Thanks for clarification.

For example,there are so many config file under /etc/firewalld/ as below;

[root@R72 ~]# ll /etc/firewalld/
total 16
-rw-r--r--. 1 root root  193 Jul 13 14:20 direct.xml
-rw-r--r--. 1 root root  108 Jul 13 14:19 direct.xml.old
-rw-r-----. 1 root root 1026 Sep 15  2015 firewalld.conf
drwxr-x---. 2 root root    6 Sep 15  2015 icmptypes
-rw-r-----. 1 root root  271 Sep 15  2015 lockdown-whitelist.xml
drwxr-x---. 2 root root    6 Sep 15  2015 services
drwxr-x---. 2 root root   23 Jun  9 21:49 zones

but sosreport just have the file as below

[root@R72 sosreport-R72-20160713142108]# ll -R etc/firewalld/
etc/firewalld/:
total 4
-rw-r-----. 1 root root 1026 Sep 15  2015 firewalld.conf
drwxr-x---. 2 root root   23 Jun  9 21:49 zones

etc/firewalld/zones:
total 4
-rw-r--r--. 1 root root 315 Jun  9 21:49 public.xml

when cu report that there are some issue about direct,but we can not confirm their configuration.

Comment 4 Pavel Moravec 2016-07-14 02:22:32 EDT

(In reply to Zeng Yiquan from comment #3)
> For example,there are so many config file under /etc/firewalld/ as below;
> 
> [root@R72 ~]# ll /etc/firewalld/
> total 16
> -rw-r--r--. 1 root root  193 Jul 13 14:20 direct.xml
> -rw-r--r--. 1 root root  108 Jul 13 14:19 direct.xml.old
> -rw-r-----. 1 root root 1026 Sep 15  2015 firewalld.conf
> drwxr-x---. 2 root root    6 Sep 15  2015 icmptypes
> -rw-r-----. 1 root root  271 Sep 15  2015 lockdown-whitelist.xml
> drwxr-x---. 2 root root    6 Sep 15  2015 services
> drwxr-x---. 2 root root   23 Jun  9 21:49 zones
> 
> but sosreport just have the file as below
> 
> [root@R72 sosreport-R72-20160713142108]# ll -R etc/firewalld/
> etc/firewalld/:
> total 4
> -rw-r-----. 1 root root 1026 Sep 15  2015 firewalld.conf
> drwxr-x---. 2 root root   23 Jun  9 21:49 zones
> 
> etc/firewalld/zones:
> total 4
> -rw-r--r--. 1 root root 315 Jun  9 21:49 public.xml
> 

Currently sos collects this:

        self.add_copy_spec([
            "/etc/firewalld/firewalld.conf",
            "/etc/firewalld/icmptypes/*.xml",
            "/etc/firewalld/services/*.xml",
            "/etc/firewalld/zones/*.xml",
            "/etc/sysconfig/firewalld"
        ])

That means, /etc/firewalld/services and /etc/firewalld/icmptypes dont contain a xml file and sos does not collect empty directories.

lockdown-whitelist.xml and direct.xml are worth to collect - these belong to my question "additionally collect /etc/firewalld/*xml ?"

direct.xml.old is IMHO ignored by firewalld so no need to collect it - or am I mistaken?

> when cu report that there are some issue about direct,but we can not confirm
> their configuration.

What all are the configuration files (that firewalld does not collect ATM)? Can you please specify them by a list of "/path/to/*.suffix" strings?

Comment 5 Zeng Yiquan 2016-07-15 04:15:58 EDT

(In reply to Pavel Moravec from comment #4)
> (In reply to Zeng Yiquan from comment #3)
> > For example,there are so many config file under /etc/firewalld/ as below;
> > 
> > [root@R72 ~]# ll /etc/firewalld/
> > total 16
> > -rw-r--r--. 1 root root  193 Jul 13 14:20 direct.xml
> > -rw-r--r--. 1 root root  108 Jul 13 14:19 direct.xml.old
> > -rw-r-----. 1 root root 1026 Sep 15  2015 firewalld.conf
> > drwxr-x---. 2 root root    6 Sep 15  2015 icmptypes
> > -rw-r-----. 1 root root  271 Sep 15  2015 lockdown-whitelist.xml
> > drwxr-x---. 2 root root    6 Sep 15  2015 services
> > drwxr-x---. 2 root root   23 Jun  9 21:49 zones
> > 
> > but sosreport just have the file as below
> > 
> > [root@R72 sosreport-R72-20160713142108]# ll -R etc/firewalld/
> > etc/firewalld/:
> > total 4
> > -rw-r-----. 1 root root 1026 Sep 15  2015 firewalld.conf
> > drwxr-x---. 2 root root   23 Jun  9 21:49 zones
> > 
> > etc/firewalld/zones:
> > total 4
> > -rw-r--r--. 1 root root 315 Jun  9 21:49 public.xml
> > 
> 
> Currently sos collects this:
> 
>         self.add_copy_spec([
>             "/etc/firewalld/firewalld.conf",
>             "/etc/firewalld/icmptypes/*.xml",
>             "/etc/firewalld/services/*.xml",
>             "/etc/firewalld/zones/*.xml",
>             "/etc/sysconfig/firewalld"
>         ])
> 
> That means, /etc/firewalld/services and /etc/firewalld/icmptypes dont
> contain a xml file and sos does not collect empty directories.
> 
> lockdown-whitelist.xml and direct.xml are worth to collect - these belong to
> my question "additionally collect /etc/firewalld/*xml ?"
> 
> direct.xml.old is IMHO ignored by firewalld so no need to collect it - or am
> I mistaken?
> 
> > when cu report that there are some issue about direct,but we can not confirm
> > their configuration.
> 
> What all are the configuration files (that firewalld does not collect ATM)?
> Can you please specify them by a list of "/path/to/*.suffix" strings?

> >lockdown-whitelist.xml and direct.xml are worth to collect - these belong to
> >my question "additionally collect /etc/firewalld/*xml ?"

yes, that the point,i mean sosreport should collect all config file under /etc/firewalld/,like /etc/firewalld/*.xml even /etc/firewalld/*

Comment 6 Pavel Moravec 2016-07-18 03:24:44 EDT

Per manpages,

"Permanent configuration is loaded from XML files in /usr/lib/firewalld or /etc/firewalld"

So *.xml files should be enough to collect.

Created upstream PR: https://github.com/sosreport/sos/pull/854

Comment 7 Pavel Moravec 2016-11-11 02:58:20 EST

RHEL7.3 has been released. Re-scheduling for potential inclusion in 7.4.

Comment 10 Pavel Moravec 2017-02-20 16:34:48 EST

Closed #933 via c29b25f.

Comment 14 errata-xmlrpc 2017-08-01 19:08:12 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2203

Note You need to log in before you can comment on or make changes to this bug.