Bug 196585 - Update eats configuration files, leaving shorewall non-functional
Update eats configuration files, leaving shorewall non-functional
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: shorewall (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Robert Marcano
Fedora Extras Quality Assurance
:
Depends On: 196590
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-25 08:06 EDT by Jonathan Underwood
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-31 22:51:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2006-06-25 08:06:11 EDT
Description of problem:
I just ran a yum update, which pulled in the new shorewall package
(3.0.8-1.fc5). During the update I saw:

warning: /etc/shorewall/zones saved as /etc/shorewall/zones.rpmsave
warning: /etc/shorewall/shorewall.conf saved as /etc/shorewall/shorewall.conf.rp
msave
warning: /etc/shorewall/rules saved as /etc/shorewall/rules.rpmsave
warning: /etc/shorewall/policy saved as /etc/shorewall/policy.rpmsave
warning: /etc/shorewall/interfaces saved as /etc/shorewall/interfaces.rpmsave
warning: /etc/shorewall/blacklist saved as /etc/shorewall/blacklist.rpmsave
  Removing  : shorewall                    ######################### [3/6]
  Updating  : shorewall                    ###                       [4/6]warnin
g: /etc/shorewall/shorewall.conf created as /etc/shorewall/shorewall.conf.rpmnew
Version-Release number of selected component (if applicable):
3.0.8-1.fc5

The problem is - all of those configuration files were moved to .rpmsave
appended versions, but no replacement files were created. This essentailly
unconfigures the firewall, and for anyone not seeing those messages (eg. if they
have the nightly yum update enabled) they would remain unaware that there
firewall configuration was lost.

I suspect this is due to the following line in the spec:
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/shorewall/*

These files should be marked as %config I believe.
(see http://www-uxsup.csx.cam.ac.uk/~jw35/docs/rpm_config.html for a description
of %config).





How reproducible:
Every time

Steps to Reproduce:
1. Update to 0:3.0.8-1.fc5
2.
3.
  
Actual results:
Configuration files hammered.

Expected results:
Configuration files left untouched.

Additional info:
Comment 1 Jonathan Underwood 2006-06-25 08:07:40 EDT
For completeness, and to help debug, the contents of /etc/shorewall immediately
after update:

# ls
accounting         initdone            modules         rules~                 
stopped
actions            interfaces~         nat             rules.rpmsave          
tcclasses
blacklist~         interfaces.rpmnew   netmap          shorewall.conf~        
tcdevices
blacklist.rpmsave  interfaces.rpmsave  params          shorewall.conf.rpmnew  
tcrules
continue           ipsec               policy.rpmsave  shorewall.conf.rpmsave  tos
ecn                maclist             providers       start                  
tunnels
hosts              Makefile            proxyarp        started                
zones.rpmsave
init               masq                routestopped    stop
Comment 2 Jonathan Underwood 2006-06-25 08:38:14 EDT
And also: After the update, shorewall is no longer started on boot for any
runlevels.
Comment 3 Robert Marcano 2006-06-25 09:20:29 EDT
I reverted to the previous version to test (3.0.7) then modified all files with
the line

find -exec cp /etc/vimrc {} \;

in order to have local modified files, then a yum update left only a new
shorewall.conf.rpmnew file

those files are marked %config(noreplace) so they will generate only rpmnew
files if changed, but this line was added at the first iteration of shorewall
3.0.x if I remember correctly. From which version was you updating?

why your "yum update" says removing then updating instead of

Updating  : shorewall                    ######################### [1/2]
Cleanup   : shorewall                    ######################### [2/2]
Comment 4 Jonathan Underwood 2006-06-25 09:34:54 EDT
I was updating from 3.0.7, and the first version of the shorewall rpm installed
on this machines was 3.0.6-1.fc5. 

I have no idea why yum decided to remove and then update - that is very odd
actually. Perhaps this is a yum bug rather than a shorewall bug, as the
behaviour you describe from your local test sounds correct. The same update was
pulling in the new kernel and removing an old kernel - I wonder if the
installonlyn plugin causes all packages that are being updated to be removed, or
something.

/var/log/yum also says:
Jun 25 13:04:13 Installed: kernel-smp-devel.i686 2.6.17-1.2139_FC5
Jun 25 13:04:28 Installed: kernel-smp.i686 2.6.17-1.2139_FC5
Jun 25 13:04:29 Erased: shorewall
Jun 25 13:04:32 Updated: shorewall.noarch 3.0.8-1.fc5

[and no other entries for today when I ran yum update]

but has no entry for the kernel that was removed (2096 if i recall correctly).
This looks very suspiciously like a yum bug rather than a packaging bug to me.

Alas the yum output is now gone, as I rebooted the machine. :(

Comment 5 Jonathan Underwood 2006-06-25 10:03:15 EDT
OK. I reproduced the issue. Recipe:

1) I backed up /etc/shorewall locally. 
2) I removed shorewall 3.0.8, rm -rf /etc/shorewall to remove all remnants. 
3) I installed the 3.0.7 shorewall rpm. 
4) I copied back my config files to /etc/shorewall, so they were modified from
the installed files from the rpm.
5) I removed the latest kernel (2139) and its -devel package. This left 3
installed kernels on my box (see below)
6) I changed tokeep to 3 in /etc/yum/pluginconf.d/installonlyn.conf
7) I did a yum update

At this point what we'd expect is that yum would update to the latest kernel,
removing an old kernel in the process, and also updating shorewall. But what we
see is different. A c+p of the session follows:

==START==

[root@pasiphae etc]# cat yum/pluginconf.d/installonlyn.conf
[main]
tokeep = 3
enabled = 1

[root@pasiphae etc]# ls shorewall
accounting  continue  init        interfaces.rpmsave  Makefile  nat     policy 
   routestopped    start    stopped    tcrules  zones
actions     ecn       initdone    ipsec               masq      netmap 
providers  rules           started  tcclasses  tos
blacklist   hosts     interfaces  maclist             modules   params  proxyarp
  shorewall.conf  stop     tcdevices  tunnels
[root@pasiphae etc]# rpm -qa | grep kernel
kernel-smp-devel-2.6.16-1.2122_FC5
kernel-smp-2.6.16-1.2111_FC5
kernel-smp-2.6.16-1.2122_FC5
kernel-smp-devel-2.6.16-1.2133_FC5
kernel-smp-2.6.16-1.2133_FC5
kernel-smp-devel-2.6.16-1.2111_FC5
[root@pasiphae etc]# rpm -qa | grep shorewall
shorewall-3.0.7-1.fc5
[root@pasiphae etc]# yum update
Loading "installonlyn" plugin
Setting up Update Process
Setting up repositories
livna                                                                [1/5]
livna                     100% |=========================|  951 B    00:00
macromedia                                                           [2/5]
macromedia                100% |=========================|  951 B    00:00
core                                                                 [3/5]
core                      100% |=========================| 1.1 kB    00:00
updates                                                              [4/5]
updates                   100% |=========================|  951 B    00:00
extras                                                               [5/5]
extras                    100% |=========================| 1.1 kB    00:00
Reading repository metadata in from local files
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for kernel-smp to pack into transaction set.
kernel-smp-2.6.17-1.2139_ 100% |=========================| 152 kB    00:00
---> Package kernel-smp.i686 0:2.6.17-1.2139_FC5 set to be installed
---> Downloading header for shorewall to pack into transaction set.
shorewall-3.0.8-1.fc5.noa 100% |=========================|  18 kB    00:00
---> Package shorewall.noarch 0:3.0.8-1.fc5 set to be updated
---> Downloading header for kernel-smp-devel to pack into transaction set.
kernel-smp-devel-2.6.17-1 100% |=========================| 821 kB    00:00
---> Package kernel-smp-devel.i686 0:2.6.17-1.2139_FC5 set to be installed
--> Running transaction check
--> Populating transaction set with selected packages. Please wait.
---> Package kernel-smp-devel.i686 0:2.6.16-1.2111_FC5 set to be erased
---> Package kernel-smp.i686 0:2.6.16-1.2111_FC5 set to be erased
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
 kernel-smp              i686       2.6.17-1.2139_FC5  updates            15 M
 kernel-smp-devel        i686       2.6.17-1.2139_FC5  updates           4.5 M
Updating:
 shorewall               noarch     3.0.8-1.fc5      extras            203 k
Removing:
 kernel-smp              i686       2.6.16-1.2111_FC5  installed          39 M
 kernel-smp-devel        i686       2.6.16-1.2111_FC5  installed          14 M

Transaction Summary
=============================================================================
Install      2 Package(s)
Update       1 Package(s)
Remove       2 Package(s)
Total download size: 20 M
Is this ok [y/N]: y
Downloading Packages:
(1/3): kernel-smp-2.6.17- 100% |=========================|  15 MB    00:05
(2/3): shorewall-3.0.8-1. 100% |=========================| 203 kB    00:00
(3/3): kernel-smp-devel-2 100% |=========================| 4.5 MB    00:01
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: kernel-smp-devel             ######################### [1/6]
  Installing: kernel-smp                   ######################### [2/6]
warning: /etc/shorewall/zones saved as /etc/shorewall/zones.rpmsave
warning: /etc/shorewall/tcdevices saved as /etc/shorewall/tcdevices.rpmsave
warning: /etc/shorewall/shorewall.conf saved as
/etc/shorewall/shorewall.conf.rpmsave
warning: /etc/shorewall/rules saved as /etc/shorewall/rules.rpmsave
warning: /etc/shorewall/policy saved as /etc/shorewall/policy.rpmsave
warning: /etc/shorewall/interfaces saved as /etc/shorewall/interfaces.rpmsave
warning: /etc/shorewall/blacklist saved as /etc/shorewall/blacklist.rpmsave
  Removing  : shorewall                    ######################### [3/6]
  Updating  : shorewall                    ###                      
[4/6]warning: /etc/shorewall/shorewall.conf created as
/etc/shorewall/shorewall.conf.rpmnew
  Updating  : shorewall                    ###                      
[4/6]warning: /etc/shorewall/tcdevices created as
/etc/shorewall/tcdevices.rpmnew  Updating  : shorewall                   
######################### [4/6]
  Cleanup   : kernel-smp-devel             ######################### [5/6]
  Cleanup   : kernel-smp                   ######################### [6/6]

Removed: kernel-smp.i686 0:2.6.16-1.2111_FC5 kernel-smp-devel.i686
0:2.6.16-1.2111_FC5
Installed: kernel-smp.i686 0:2.6.17-1.2139_FC5 kernel-smp-devel.i686
0:2.6.17-1.2139_FC5
Updated: shorewall.noarch 0:3.0.8-1.fc5
Complete!

==END==

This really looks like yum is doing the wrong thing.
Comment 6 Jonathan Underwood 2006-06-25 10:15:40 EDT
OK, and for completeness, I removed shorewall, installed 3.0.7 and ran a yum
update (note that there is now no kernel updating to be done) and everything
works as it should:

[root@pasiphae shorewall]# rpm -qa | grep shorewall
shorewall-3.0.7-1.fc5
[root@pasiphae shorewall]# yum update
Loading "installonlyn" plugin
Setting up Update Process
Setting up repositories
livna                                                                [1/5]
macromedia                                                           [2/5]
core                                                                 [3/5]
updates                                                              [4/5]
extras                                                               [5/5]
Reading repository metadata in from local files
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for shorewall to pack into transaction set.
shorewall-3.0.8-1.fc5.noa 100% |=========================|  18 kB    00:00
---> Package shorewall.noarch 0:3.0.8-1.fc5 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
 Package                 Arch       Version          Repository        Size
=============================================================================
Updating:
 shorewall               noarch     3.0.8-1.fc5      extras            203 k

Transaction Summary
=============================================================================
Install      0 Package(s)
Update       1 Package(s)
Remove       0 Package(s)
Total download size: 203 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): shorewall-3.0.8-1. 100% |=========================| 203 kB    00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating  : shorewall                    ###                      
[1/2]warning: /etc/shorewall/shorewall.conf created as
/etc/shorewall/shorewall.conf.rpmnew
  Updating  : shorewall                    ###                      
[1/2]warning: /etc/shorewall/tcdevices created as
/etc/shorewall/tcdevices.rpmnew  Updating  : shorewall                   
######################### [1/2]
  Cleanup   : shorewall                    ######################### [2/2]

Updated: shorewall.noarch 0:3.0.8-1.fc5
Complete!
Comment 7 Jonathan Underwood 2006-06-25 10:22:07 EDT
Reported as a bug against yum: 196590

Note You need to log in before you can comment on or make changes to this bug.