Bug 815540 - anaconda vs. firewalld
anaconda vs. firewalld
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Brian Lane
Fedora Extras Quality Assurance
: Reopened, TestBlocker
: 822290 (view as bug list)
Depends On:
Blocks: 835469 835471 885807 1032605
  Show dependency treegraph
Reported: 2012-04-23 15:33 EDT by Bill Nottingham
Modified: 2014-03-16 23:30 EDT (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 835469 835471 885807 (view as bug list)
Last Closed: 2013-05-21 18:03:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to allow cmdline args (2.17 KB, patch)
2012-10-01 19:51 EDT, Brian Lane
no flags Details | Diff

  None (edit)
Description Bill Nottingham 2012-04-23 15:33:55 EDT
Description of problem:

From https://fedoraproject.org/wiki/Features/firewalld-default:

An explicit transition is planned after Fedora 18 with dropping support for the static firewall with system-config-firewal/lokkit. A migration from the static firewall model will be needed then. 

anaconda uses system-config-firewall-tui (aka, lokkit) for two things:

1) Setting the SELinux state (enforcing/permissive/disabled)

2) Handling the %firewall kickstart command

Version-Release number of selected component (if applicable):

anaconda master/newui/etc.

How reproducible:


Steps to Reproduce:
1. look at the code
Comment 1 Chris Lumens 2012-05-16 21:53:27 EDT
*** Bug 822290 has been marked as a duplicate of this bug. ***
Comment 2 Jan Stancek 2012-06-21 11:43:13 EDT
Is there an estimate when firewall option will be supported?
Can you recommend any workaround?
We are currently hitting this in beaker (with RHEL7 Alpha2), kickstart contains "firewall --disabled", but firewalld is still running and creating rules.
Comment 3 Petr Šplíchal 2012-06-26 04:23:06 EDT
This is a test blocker for multihost testing, adjusting priority.
Could we get a fix for this soon? Thanks.
Comment 4 Brian Lane 2012-06-26 17:26:46 EDT
For selinux we can use the selinux python module, dwalsh contributed some code to livecd-tools that does that and we can adapt that for Anaconda.

I've taken a look at firewalld, and as far as I can tell it doesn't have any provisions for generating a configuration in a chroot environment, since it is running as a dbus server. We need to be able to call firewalld in a way that only changes the install target chroot, not the host system's settings.

suggestions from the firewalld developers would be appreciated.
Comment 5 Brian Lane 2012-10-01 19:51:25 EDT
Created attachment 620072 [details]
patch to allow cmdline args
Comment 6 Fedora Update System 2012-10-17 22:36:08 EDT
anaconda-18.18-1.fc18 has been submitted as an update for Fedora 18.
Comment 7 Fedora Update System 2012-10-18 11:27:58 EDT
Package anaconda-18.18-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-18.18-1.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-10-19 21:32:00 EDT
anaconda-18.19-1.fc18 has been submitted as an update for Fedora 18.
Comment 9 Matthew Miller 2012-12-07 22:42:37 EST
I think this is where anaconda switched to calling /usr/bin/firewall-offline-cmd, and I think there's been a miscommunication. Note initially this report says that a migration from the static model will happen *after F18*. And in fact, the Feature page now says "after Fedora 19".

I know we're pretty late in the game and I wish I had noticed this earlier.
Comment 11 Matthew Miller 2012-12-10 11:53:49 EST
I'm going to clone a new bug from this one for the "accidentally mandatory" issue, and put this back to "on qa".
Comment 12 Adam Williamson 2012-12-10 20:11:45 EST
This is pretty old to be ON_QA. What needs determining before it gets closed exactly? I lost track of where we're up to here.
Comment 13 Matthew Miller 2012-12-11 00:03:08 EST
(In reply to comment #12)
> This is pretty old to be ON_QA. What needs determining before it gets closed
> exactly? I lost track of where we're up to here.

I dunno. It was ON_QA when I reopened it, so I put it back.
Comment 14 Fedora Update System 2012-12-20 10:24:23 EST
anaconda-18.18-1.fc18 has been pushed to the Fedora 18 obsolete repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Orion Poplawski 2013-03-06 13:08:27 EST
This is still a problem for me with 18.37.11.  With firewall --disabled, firewalld is still enabled and starting up on the installed system.

09:21:59,552 INFO program: Running... /usr/bin/firewall-offline-cmd --disabled --service=ssh
09:22:00,719 INFO program: Firewall was disabled, unable to convert to zone.
09:22:00,719 INFO program: No changes to default zone needed.

Kickstart has:

firewall --disabled
Comment 16 Fedora End Of Life 2013-04-03 15:48:53 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
Comment 17 Orion Poplawski 2013-05-21 12:18:48 EDT
Still present in 19.28-1.  I think you need to be running: 

systemctl disable firewalld.service
Comment 18 Brian Lane 2013-05-21 18:03:49 EDT
Please don't re-open this. It was meant to track the transition to using firewalld. If you have a problem with its behavior please file a new bug with details.

the firewall ks command controls the firewall itself. If you want to disable the service itself you should pass services --disabled=firewalld

Note You need to log in before you can comment on or make changes to this bug.