Red Hat Bugzilla – Bug 815540
anaconda vs. firewalld
Last modified: 2014-03-16 23:30:40 EDT
Description of problem:
An explicit transition is planned after Fedora 18 with dropping support for the static firewall with system-config-firewal/lokkit. A migration from the static firewall model will be needed then.
anaconda uses system-config-firewall-tui (aka, lokkit) for two things:
1) Setting the SELinux state (enforcing/permissive/disabled)
2) Handling the %firewall kickstart command
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. look at the code
*** Bug 822290 has been marked as a duplicate of this bug. ***
Is there an estimate when firewall option will be supported?
Can you recommend any workaround?
We are currently hitting this in beaker (with RHEL7 Alpha2), kickstart contains "firewall --disabled", but firewalld is still running and creating rules.
This is a test blocker for multihost testing, adjusting priority.
Could we get a fix for this soon? Thanks.
For selinux we can use the selinux python module, dwalsh contributed some code to livecd-tools that does that and we can adapt that for Anaconda.
I've taken a look at firewalld, and as far as I can tell it doesn't have any provisions for generating a configuration in a chroot environment, since it is running as a dbus server. We need to be able to call firewalld in a way that only changes the install target chroot, not the host system's settings.
suggestions from the firewalld developers would be appreciated.
Created attachment 620072 [details]
patch to allow cmdline args
anaconda-18.18-1.fc18 has been submitted as an update for Fedora 18.
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-18.18-1.fc18'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
anaconda-18.19-1.fc18 has been submitted as an update for Fedora 18.
I think this is where anaconda switched to calling /usr/bin/firewall-offline-cmd, and I think there's been a miscommunication. Note initially this report says that a migration from the static model will happen *after F18*. And in fact, the Feature page now says "after Fedora 19".
I know we're pretty late in the game and I wish I had noticed this earlier.
I'm going to clone a new bug from this one for the "accidentally mandatory" issue, and put this back to "on qa".
This is pretty old to be ON_QA. What needs determining before it gets closed exactly? I lost track of where we're up to here.
(In reply to comment #12)
> This is pretty old to be ON_QA. What needs determining before it gets closed
> exactly? I lost track of where we're up to here.
I dunno. It was ON_QA when I reopened it, so I put it back.
anaconda-18.18-1.fc18 has been pushed to the Fedora 18 obsolete repository. If problems still persist, please make note of it in this bug report.
This is still a problem for me with 18.37.11. With firewall --disabled, firewalld is still enabled and starting up on the installed system.
09:21:59,552 INFO program: Running... /usr/bin/firewall-offline-cmd --disabled --service=ssh
09:22:00,719 INFO program: Firewall was disabled, unable to convert to zone.
09:22:00,719 INFO program: No changes to default zone needed.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
Still present in 19.28-1. I think you need to be running:
systemctl disable firewalld.service
Please don't re-open this. It was meant to track the transition to using firewalld. If you have a problem with its behavior please file a new bug with details.
the firewall ks command controls the firewall itself. If you want to disable the service itself you should pass services --disabled=firewalld