Bug 884878 - FirewallConfig in imgcreate/kickstart.py requires FirewallD
Summary: FirewallConfig in imgcreate/kickstart.py requires FirewallD
Status: CLOSED DUPLICATE of bug 1004976
Alias: None
Product: Fedora
Classification: Fedora
Component: livecd-tools
Version: 20
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedNTH
Depends On:
Blocks: F18-accepted, F18FinalFreezeExcept
TreeView+ depends on / blocked
Reported: 2012-12-06 22:19 UTC by Matthew Miller
Modified: 2013-10-02 17:32 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-10-02 17:32:31 UTC
Type: Bug

Attachments (Terms of Use)

Description Matthew Miller 2012-12-06 22:19:36 UTC
Description of problem:

FirewallConfig uses /usr/bin/firewall-offline-cmd to configure the firewall. This may be fine in the future, but it's still not completely sure that FirewallD will be the default in F18, and in any case it is certainly not ready to be mandatory.

Can we do something to fall back if /usr/bin/firewall-offline-cmd is not found? 

Version-Release number of selected component (if applicable):


Comment 1 Matthew Miller 2012-12-07 20:49:40 UTC
Even warning and continuing would be better, but I think best is to write and enable the traditional iptables script-loaded firewall.

Comment 2 Daniel Drake 2012-12-10 12:41:23 UTC
This is also a minor annoyance for OLPC. Having to ship firewalld just to satisfy this - I hope it doesn't get autostarted. We don't manage a firewall at the moment and don't intend to in the near term. So if some fallback is implemented using some non-firewalld firewall, I would at least ask that "firewall --disabled" causes imgcreate to do nothing when firewalld is not available.

Comment 3 Matthew Miller 2012-12-10 17:06:12 UTC
See also bug #885807 for same code in Anaconda.

Comment 4 Matthew Miller 2012-12-10 17:09:15 UTC
Note that the feature page for firewalld-as-default says in the scope that it will be the default but the static firewall scripts still functional until F19+ timeframe.

Comment 5 Adam Williamson 2012-12-19 20:20:05 UTC
Discussed at 2012-12-19 NTH review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-19/f18final-blocker-review-6.2012-12-19-17.02.log.txt . We agreed this would be a useful capability if some spins don't want to use firewalld and obviously can't really be fixed after freeze, so it's accepted as NTH, but obviously we'd want the fix to be small, safe and tested to avoid blowing up the supported spins.

Comment 6 John Florian 2012-12-19 21:57:49 UTC
This is an annoyance for my uses of livecd-tools also.  Presently I kludge around the problem with the following in my %post:

  echo "Disabling/removing firewalld ..."
  yum -q -y remove firewalld

I must do this because our complex network stack still requires iptables since it has not yet been ported to use firewalld.  When I lst checked, the firewalld documentation was too lacking attempt such a port at the time.

Comment 7 Brian Lane 2012-12-19 23:57:22 UTC
This is the same as the bug for anaconda about firewalld. The solution there was to let firewalld sort things out. I'm not going to make livecd-creator act different from Anaconda.

Comment 8 Adam Williamson 2012-12-20 01:02:56 UTC
well, we're not prescribing a fix, just saying that whatever it is, we hope it's small and safe to pull.

Comment 9 fedora.dm0 2013-02-04 15:23:23 UTC
(In reply to comment #8)
> well, we're not prescribing a fix, just saying that whatever it is, we hope
> it's small and safe to pull.

This simple test satisfies my requirements.  I don't think it's necessary to automate the configuration any further for crazy people like myself who go out of their way to avoid the default firewall package.  Averting the show-stopper crash is enough.  In addition, the earlier branches of livecd-tools all had an equivalent test for lokkit, so this behavior is not unprecedented.  Thoughts?

diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index b12cd0c..dcf7516 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -178,6 +178,8 @@ class AuthConfig(KickstartConfig):
 class FirewallConfig(KickstartConfig):
     """A class to apply a kickstart firewall configuration to a system."""
     def apply(self, ksfirewall):
+        if not os.path.exists(self.path("/usr/bin/firewall-offline-cmd")):
+            return
         args = ["/usr/bin/firewall-offline-cmd"]
         # enabled is None if neither --enable or --disable is passed
         # default to enabled if nothing has been set.

Comment 10 Brian Lane 2013-02-04 19:22:50 UTC
That is probably ok, with the addition of logging that it wasn't setup. The problem with that is nobody reads the logs, and if it is missing for some reason it won't get noticed immediately.

Comment 11 fedora.dm0 2013-02-04 21:42:42 UTC
After adding a straightforward logging.warn("Missing firewalld, no firewall configuration will be performed.") to the above, it was the first warning printed after package installation for my kickstarts.  That seems like it should be fairly noticeable to anyone who accidentally glances at the command output.

I think this is a reasonable amount of precaution for protecting users from themselves, while correcting the crash.  If anyone happens to both stray this far from the standard package group and ignore livecd-tools diagnostics, they've probably managed to find other ways to shoot themselves in the foot as well.

Comment 12 Brian Lane 2013-02-05 01:47:28 UTC
True, but remember that the tool is also used in the build system, so users generally never see those logs until they go looking for something wrong. In that case a failed build it preferable to a build that is built 'wrong'.

Comment 13 Gene Czarcinski 2013-10-02 09:41:34 UTC
This is still broken as of Fedora 20 Alpha.  Either fix it or add firewalld to the kickstart file.

Comment 14 Brian Lane 2013-10-02 17:32:31 UTC
Chris fixed this for bug 1004976. If you pass firewall --disabled it will no longer raise an error on it missing.

*** This bug has been marked as a duplicate of bug 1004976 ***

Note You need to log in before you can comment on or make changes to this bug.