Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1872759
Summary: | fail2ban-shorewall requires change to include shorewall-lite or shorewall | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | William H. Haller <bill> |
Component: | fail2ban | Assignee: | Richard Shaw <hobbes1069> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | epel7 | CC: | anon.amish, axel.thimm, hobbes1069, orion, vonsch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | fail2ban-0.11.1-10.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-28 11:50:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
William H. Haller
2020-08-26 15:04:02 UTC
I don't think rpm in EL 7 can handle this well. In Fedora (and EL 8 I *think*) we have Recommends: and Suggests: which might be one path to fix the problem, but no such options in EL 7. Looking and the provides of both packages: $ sudo repoquery --provides shorewall-lite config(shorewall-lite) = 5.1.10.2-1.el7 shorewall(firewall) = 5.1.10.2-1.el7 shorewall-lite = 5.1.10.2-1.el7 $ sudo repoquery --provides shorewall config(shorewall) = 5.1.10.2-1.el7 perl(Shorewall::ARP) = 5.0 perl(Shorewall::Accounting) = 5.1 perl(Shorewall::Chains) = 5.1 perl(Shorewall::Compiler) = 5.1 perl(Shorewall::Config) = 5.1 perl(Shorewall::IPAddrs) = 5.1 perl(Shorewall::Misc) = 5.1 perl(Shorewall::Nat) = 5.1 perl(Shorewall::Proc) = 4.6 perl(Shorewall::Providers) = 5.1 perl(Shorewall::Proxyarp) = 5.1 perl(Shorewall::Raw) = 5.0 perl(Shorewall::Rules) = 5.1 perl(Shorewall::Tc) = 5.1 perl(Shorewall::Tunnels) = 5.0 perl(Shorewall::Zones) = 5.1 shorewall = 5.1.10.2-1.el7 shorewall(firewall) = 5.1.10.2-1.el7 The only thing they have in common is "shorewall(firewall)". I think what we can do is I can change the requirement to that so that either package satisfies the dependency, however, I can't control which package yum chooses so I would suggest that you install shorewall-lite first and yum *SHOULD* accept that as meeting the requirements and not install shorewall. Testing on the epel7 test server it does pull in shorewall-lite by default, which I'm not thrilled about... $ sudo yum install "shorewall(firewall)" Loaded plugins: fastestmirror Determining fastest mirrors * base: d36uatko69830t.cloudfront.net * epel: mirrors.kernel.org * extras: d36uatko69830t.cloudfront.net * updates: d36uatko69830t.cloudfront.net Resolving Dependencies --> Running transaction check ---> Package shorewall-lite.noarch 0:5.1.10.2-1.el7 will be installed --> Processing Dependency: shorewall-core = 5.1.10.2-1.el7 for package: shorewall-lite-5.1.10.2-1.el7.noarch --> Running transaction check ---> Package shorewall-core.noarch 0:5.1.10.2-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================= Package Arch Version Repository Size ======================================================================================================================= Installing: shorewall-lite noarch 5.1.10.2-1.el7 epel 63 k Installing for dependencies: shorewall-core noarch 5.1.10.2-1.el7 epel 82 k Transaction Summary ======================================================================================================================= Install 1 Package (+1 Dependent package) I'll have to think about this. On Fedora EPEL 8 I can add a recommends for plain shorewall but can't do that on EL 7. Ok, different strategy. I created a fail2ban-shorewall-lite subpackage which conflicts with fail2ban-shorewall so only one or the other can be installed as they provide the same file. https://koji.fedoraproject.org/koji/taskinfo?taskID=50243307 You can download all the build artifacts for testing using: koji download-task 50243532 I think a separate fail2ban-shorewall-lite package would be a good approach if adding another package wasn't a problem for anyone. Not trying to make waves - but I think it would be a useful option. I'd think there would be more installs of shorewall-lite (for anyone who has a centralized firewall creation server) than shorewall. It would certainly be better than having do depend on randomness of yum/dnf or remember to not install shorewall first (especially for those like me that said why install shorewall and shorewall-lite and just deleted the shorewall package that wasn't needed in trying to keep virtual images as small as possible). Thanks for your time and I hope adding fail2ban-shorewall-lite passes the approval process. If you would, please test my scratch build before I do real builds. There's no approval process other than me. :) Hit a block. I'm running FC32 on the shorewall server, which doesn't satisfy python 3.9 for fail2ban-server and el7's python is only at 2.7.5-88. My fault, I assumed since it was a noarch package it really wouldn't matter but you do need EL 7 specific packages. https://koji.fedoraproject.org/koji/taskinfo?taskID=50261492 rpm -e --justdb fail2ban-shorewall followed by rpm -ivh fail2ban-shorewall-lite seemed to work fine. FYI, I would have suggested: yum swap fail2ban-shorewall fail2ban-shorewall-lite FEDORA-2020-3071e15f57 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |