Bug 523709 - do not force install system-config-firewall-tui
do not force install system-config-firewall-tui
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks: 519838 554536 575256
  Show dependency treegraph
 
Reported: 2009-09-16 10:07 EDT by Peter Vrabec
Modified: 2010-03-19 16:41 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-07 11:23:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Vrabec 2009-09-16 10:07:08 EDT
Description of problem:
In purpose of installing minimal system we want to reduce number of packages and their dependencies. Please give a look at:
https://fedoraproject.org/wiki/Features/MinimalPlatform

Anaconda in F12-Alha force install of system-config-firewall-tui. We are not very happy with that because it's increase disk usage and number of SUID binaries(because of dependencies). This problem is only in F12, I have not seen in in F11!!!

Can you please check, if we really need system-config-firewall-tui!!!

How reproducible:
install core group
%packages --nobase
@core
%end
see that system-config-firewall-tui is installed

  
Expected results:
do not install system-config-firewall-tui & dependencies
Comment 1 Chris Lumens 2009-09-16 11:12:06 EDT
system-config-firewall-tui is required to install lokkit, which is required for anaconda to set up the firewall config on the installed system.
Comment 2 Peter Vrabec 2009-09-17 08:03:00 EDT
thnx. for explanation, Chris. It's also clear to me that anaconda guidelines say that standard tools should be used whenever it's possible.

But I'm still curios why system-config-firewall-tui is NOT installed on F11 (minimal install). What cause this change? I have looked into the code and I can see same thing in both F11 & F12

    # anaconda requires several programs on the installed system to complete
    # installation, but we have no guarantees that some of these will be
    # installed (they could have been removed in kickstart).  So we'll force
    # it.
    def selectAnacondaNeeds(self):
        for pkg in ['authconfig', 'chkconfig', 'mkinitrd', 'system-config-firewall-tui']:

I think the ideal solution would be if all system-config-* tools provide library interface. Do you know if there is any effort for this?
Comment 3 Steve Grubb 2009-09-17 10:15:15 EDT
Do you realize that installing s-c-firewall-tui requires s-c-network-tui which requires dbus-python which requires dbus-libs which requires dbus ... Altogether, this drags in about 23 Mb of packages to the minimal install.

Would it be possible to uninstall all these packages if s-c-firewall-tui has not been asked for?
Comment 4 Chris Lumens 2009-09-17 10:24:16 EDT
No, lokkit is required on the installed system so that anaconda can chroot over and run it.  We need to do that so there's any iptables configuration at all when the system is initially booted.  It's not a matter of the user asking for it to be installed or not.  If you really want to have fewer things to audit, you could get lokkit broken out into its own subpackage and then anaconda would only need to require that.

Anyway, dbus is a critical component of a Fedora system these days.  More and more system components are requiring it and it's listed as a critical path package.  So, you really can't help but have it and any security auditing you're doing needs to take this into consideration.  Keep in mind that NetworkManager is the preferred method of configuring the network these days and it requires dbus.
Comment 5 Peter Vrabec 2009-10-07 11:07:07 EDT
(In reply to comment #4)
> No, lokkit is required on the installed system so that anaconda can chroot over
> and run it.  We need to do that so there's any iptables configuration at all
> when the system is initially booted.  It's not a matter of the user asking for
> it to be installed or not.  If you really want to have fewer things to audit,
> you could get lokkit broken out into its own subpackage and then anaconda would
> only need to require that.

system-config-firewall-base that provides lokkit is available now, can you use it in anaconda, please.

see: https://bugzilla.redhat.com/show_bug.cgi?id=525153
Comment 6 Chris Lumens 2009-10-07 11:23:49 EDT
Done.

Now if this needs to be in F-12 and RHEL-6 as well, we're going to need the new system-config-firewall-base package put into that tree before the anaconda part can be committed on those branches.  Right now, it's only on head.

Note You need to log in before you can comment on or make changes to this bug.