Description of problem: Specifying a kickstart firewall command does not change the default configuration. anaconda.program.log show the execution of firewall-offline-cmd, but afterwards the firewall is configured as always. I wanted the firewall configured without the dhcpv6-client so I specified: firewall --enable --service=mdns,ssh Did I do something worng? Version-Release number of selected component (if applicable): anaconda-19.20-1.fc19.x86_64 pykickstart-1.99.26-1.fc19.noarch How reproducible: Consistent Steps to Reproduce: # Create the Anaconda Kickstart file if [ ! -d /srv/nfs/ISO/Fedora19 ] then mkdir /srv/nfs/ISO/Fedora19 fi cat >/srv/nfs/ISO/Fedora19/anaconda-ks.cfg <<EOF auth --enableshadow --passalgo=sha512 autopart --type=lvm bootloader --location=mbr --boot-drive=vda cdrom clearpart --all --initlabel --drives=vda firewall --enable --service=mdns,ssh firstboot --disable ignoredisk --only-use=vda keyboard --vckeymap=us --xlayouts='us' lang en_US.UTF-8 network --activate --bootproto=static --device=eth0 --gateway=192.168.1.254 --ip=192.168.1.21 --nameserver=75.75.76.76,75.75.75.75 --netmask=255.255.255.0 --noipv6 # network --activate --bootproto=dhcp --device=eth0 --nameserver=192.168.1.11 --noipv6 network --hostname=fedora19.hunter.org reboot rootpw --iscrypted \$6\$6YuUd3dm5L5ALg25\$I6Tg.twaZxA/NePE/yNTmY3HoUNt5Za5vDQMjCGB8Fp22ANG0y0usmAn/f14xGwDZ1QcSVWTWqDjl7kDkSZAO/ text timezone America/Chicago --isUtc --ntpserver=192.168.1.11 user --gecos="Local Administrator" --groups=wheel --iscrypted --name=local --password=\$6\$6YuUd3dm5L5ALg25\$I6Tg.twaZxA/NePE/yNTmY3HoUNt5Za5vDQMjCGB8Fp22ANG0y0usmAn/f14xGwDZ1QcSVWTWqDjl7kDkSZAO/ xconfig --startxonboot %packages @base-x @core @dial-up @firefox @fonts @gnome-desktop @hardware-support @input-methods @multimedia @printing @standard %end %post set -v # Configure the firewall firewall-cmd --permanent --remove-service=dhcpv6-client firewall-cmd --list-all # Configure the Gnome desktop cat >/usr/share/glib-2.0/schemas/hunter.gschema.override <<EOD [org.gnome.desktop.background] picture-options='wallpaper' # picture-uri='file:///usr/share/backgrounds/gnome/Waves.jpg' picture-uri='file:///usr/share/backgrounds/gnome/BlueMarbleWest.jpg' primary-color='#ffffff' secondary-color='#000000' [org.gnome.desktop.interface] clock-show-date=true [org.gnome.desktop.screensaver] lock-enabled=false [org.gnome.desktop.sound] event-sounds=false [org.gnome.gedit.preferences.editor] create-backup-copy=false wrap-mode='none' [org.gnome.nautilus.preferences] default-folder-viewer='list-view' sort-directories-first=true [org.gnome.shell] always-show-log-out=true favorite-apps=['gnome-terminal.desktop', 'nautilus.desktop', 'gedit.desktop', 'firefox.desktop'] EOD chcon --user system_u /usr/share/glib-2.0/schemas/hunter.gschema.override chcon --type usr_t /usr/share/glib-2.0/schemas/hunter.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas # Configure the host name hostnamectl set-hostname "Fedora19" --pretty hostnamectl # Apply any queued updates cat >>/etc/yum.conf <<EOD clean_requirements_on_remove=yes upgrade_requirements_on_install=yes EOD # yum install --assumeyes yum-plugin-fastestmirror yum update --assumeyes %end EOF # Build a virtual machine virsh destroy Fedora19 virsh undefine Fedora19 virt-install \ --autostart \ --connect qemu:///system \ --disk vol=Guests/Fedora19 \ --extra-args "inst.ks=file:/anaconda-ks.cfg" \ --graphics spice \ --initrd-inject /srv/nfs/ISO/Fedora19/anaconda-ks.cfg \ --location /srv/nfs/ISO/Fedora-19-Alpha-x86_64-DVD.iso \ --name Fedora19 \ --network network=Host \ --noautoconsole \ --os-type "linux" \ --os-variant "fedora18" \ --ram 2048 \ --vcpus 2 Actual results: 1:33:11,945 INFO program: done 21:33:11,945 DEBUG program: Return code: 0 21:33:12,148 INFO program: Running... /usr/sbin/authconfig --update --nostart --enableshadow --passalgo=sha512 21:33:13,734 DEBUG program: Return code: 0 [root@fedora19 ~]# firewall-cmd --list-all public interfaces: eth0 services: mdns dhcpv6-client ssh ports: forward-ports: icmp-blocks: [root@fedora19 ~]# Expected results: [root@fedora19 ~]# firewall-cmd --list-all public interfaces: eth0 services: mdns ssh ports: forward-ports: icmp-blocks: [root@fedora19 ~]# Additional info:
Please attach the complete /tmp/anaconda.log and /tmp/program.log to this bug report. Thanks.
After further review, it is possible to add to the defaults but not remove a default service. This kickstart firewall command: firewall --enable --service=ftp,mdns,ssh results in this configuration: [root@fedora19 ~]# firewall-cmd --list-all public interfaces: eth0 services: ftp mdns dhcpv6-client ssh ports: forward-ports: icmp-blocks: [root@fedora19 ~]#
Created attachment 741675 [details] /tmp/anaconda.log
Created attachment 741676 [details] /tmp/program.log
This problem persists in Fedora 19 Beta TC3.
This problem persists in Fedora 19 Beta TC4. 16:30:54,828 INFO program: Running... /usr/bin/firewall-offline-cmd --enabled --service=mdns --service=ssh 16:30:55,105 INFO program: No changes to default zone needed.
Looks like firewall-offline-cmd can't list and remove enabled services. Filled bug 969106 on firewalld.
I had previously created 964234 on firewalld.
Looks like firewalld support for removing services was added in version 0.3.5, so this can be finally implemented also in Anaconda.
anaconda-20.23-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/anaconda-20.23-1.fc20
Package pykickstart-1.99.42-1.fc20, anaconda-20.23-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pykickstart-1.99.42-1.fc20 anaconda-20.23-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-18714/pykickstart-1.99.42-1.fc20,anaconda-20.23-1.fc20 then log in and leave karma (feedback).
anaconda-20.25-1.fc20, python-blivet-0.23-1.fc20, pykickstart-1.99.42-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2013-18731/python-blivet-0.23-1.fc20,pykickstart-1.99.42-1.fc20,anaconda-20.25-1.fc20
anaconda-20.25-1.fc20, python-blivet-0.23-1.fc20, pykickstart-1.99.42-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.