Red Hat Bugzilla – Bug 884878
FirewallConfig in imgcreate/kickstart.py requires FirewallD
Last modified: 2013-10-02 13:32:31 EDT
Description of problem:
FirewallConfig uses /usr/bin/firewall-offline-cmd to configure the firewall. This may be fine in the future, but it's still not completely sure that FirewallD will be the default in F18, and in any case it is certainly not ready to be mandatory.
Can we do something to fall back if /usr/bin/firewall-offline-cmd is not found?
Version-Release number of selected component (if applicable):
Even warning and continuing would be better, but I think best is to write and enable the traditional iptables script-loaded firewall.
This is also a minor annoyance for OLPC. Having to ship firewalld just to satisfy this - I hope it doesn't get autostarted. We don't manage a firewall at the moment and don't intend to in the near term. So if some fallback is implemented using some non-firewalld firewall, I would at least ask that "firewall --disabled" causes imgcreate to do nothing when firewalld is not available.
See also bug #885807 for same code in Anaconda.
Note that the feature page for firewalld-as-default says in the scope that it will be the default but the static firewall scripts still functional until F19+ timeframe.
Discussed at 2012-12-19 NTH review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-19/f18final-blocker-review-6.2012-12-19-17.02.log.txt . We agreed this would be a useful capability if some spins don't want to use firewalld and obviously can't really be fixed after freeze, so it's accepted as NTH, but obviously we'd want the fix to be small, safe and tested to avoid blowing up the supported spins.
This is an annoyance for my uses of livecd-tools also. Presently I kludge around the problem with the following in my %post:
echo "Disabling/removing firewalld ..."
yum -q -y remove firewalld
I must do this because our complex network stack still requires iptables since it has not yet been ported to use firewalld. When I lst checked, the firewalld documentation was too lacking attempt such a port at the time.
This is the same as the bug for anaconda about firewalld. The solution there was to let firewalld sort things out. I'm not going to make livecd-creator act different from Anaconda.
well, we're not prescribing a fix, just saying that whatever it is, we hope it's small and safe to pull.
(In reply to comment #8)
> well, we're not prescribing a fix, just saying that whatever it is, we hope
> it's small and safe to pull.
This simple test satisfies my requirements. I don't think it's necessary to automate the configuration any further for crazy people like myself who go out of their way to avoid the default firewall package. Averting the show-stopper crash is enough. In addition, the earlier branches of livecd-tools all had an equivalent test for lokkit, so this behavior is not unprecedented. Thoughts?
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index b12cd0c..dcf7516 100644
@@ -178,6 +178,8 @@ class AuthConfig(KickstartConfig):
"""A class to apply a kickstart firewall configuration to a system."""
def apply(self, ksfirewall):
+ if not os.path.exists(self.path("/usr/bin/firewall-offline-cmd")):
args = ["/usr/bin/firewall-offline-cmd"]
# enabled is None if neither --enable or --disable is passed
# default to enabled if nothing has been set.
That is probably ok, with the addition of logging that it wasn't setup. The problem with that is nobody reads the logs, and if it is missing for some reason it won't get noticed immediately.
After adding a straightforward logging.warn("Missing firewalld, no firewall configuration will be performed.") to the above, it was the first warning printed after package installation for my kickstarts. That seems like it should be fairly noticeable to anyone who accidentally glances at the command output.
I think this is a reasonable amount of precaution for protecting users from themselves, while correcting the crash. If anyone happens to both stray this far from the standard package group and ignore livecd-tools diagnostics, they've probably managed to find other ways to shoot themselves in the foot as well.
True, but remember that the tool is also used in the build system, so users generally never see those logs until they go looking for something wrong. In that case a failed build it preferable to a build that is built 'wrong'.
This is still broken as of Fedora 20 Alpha. Either fix it or add firewalld to the kickstart file.
Chris fixed this for bug 1004976. If you pass firewall --disabled it will no longer raise an error on it missing.
*** This bug has been marked as a duplicate of bug 1004976 ***