Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 885807
Summary: | firewalld accidentally made mandatory; needs to be optional for f18 and f19 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Matthew Miller <mattdm> | ||||
Component: | anaconda | Assignee: | Brian Lane <bcl> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 18 | CC: | anaconda-maint-list, awilliam, bpeck, gholms, g.kaviyarasu, jburke, jonathan, jpirko, jstancek, mattdm, mitr, notting, psplicha, sbueno, twoerner, vanmeeuwen+fedora | ||||
Target Milestone: | --- | Keywords: | TestBlocker | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | 815540 | Environment: | |||||
Last Closed: | 2012-12-14 13:35:37 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 815540 | ||||||
Bug Blocks: | 752665, 835469, 835471, 1032605 | ||||||
Attachments: |
|
Description
Matthew Miller
2012-12-10 17:04:23 UTC
See also bug #884878 for same code in livecd-tools, used by appliance creator and friends. https://fedorahosted.org/fesco/ticket/973#comment:21 FirewallD author suggests that the current correct behavior is to use lokkit and firewalld will handle the conversion if installed. ... and if it's not installed, there will be no active firewall? (In reply to comment #3) > ... and if it's not installed, there will be no active firewall? We've still got the old scripts in the "iptables-services" package. Which will never be installed, except by explicit request. To be clear, what I'm referring to here is that right now the changes proposed here change it from always having a firewall of some sort active, to having *none* in the minimal install. This is a regression from prior releases, and putting iptables-services back in the minimal install is likely to make it *more* confusing. Created attachment 661709 [details]
revert to lokkit patch
Bill: You are right. This is indeed a regression. After thinking about this a bit more, I think that the patch in comment 6 should not get applied. Not having a firewall in minimal is not good. Using different firewalls in minimal and other installations is also not good. I would prefer to have firewalld also in minimal and to fix pygobject3 to reduce the requirements. It would have been nice to have a plan for this from the beginning, but that's water under the bridge. I'm not particularly excited about any of the options at this point, but making the feature go from the accepted make-it-default to much more controversial mandatory just because we hit a release deadline seems like an end-run around the process. But, that said: it's my understanding that if the systemd unit for FirewallD has "Conflicts=iptables.service" and "After=iptables.service", they can both be installed and firewalld will take over from the former once started. So I don't think that's so bad, especially if, as Thomas says, FirewallD will import/inherit the traditional configuration. Firewalld has a tool to convert these settings. It is not doing this automatically. Since the pygobject3 dependency problem has been fixed, this bug should be closed and the patch should be reverted to have a firewall even in minimal installations. See FESCo ticket 973. This patch was never applied, so closing. Thanks! |