Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 885807

Summary: firewalld accidentally made mandatory; needs to be optional for f18 and f19
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: anacondaAssignee: Brian Lane <bcl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 18CC: anaconda-maint-list, awilliam, bpeck, gholms, g.kaviyarasu, jburke, jonathan, jpirko, jstancek, mattdm, mitr, notting, psplicha, sbueno, twoerner, vanmeeuwen+fedora
Target Milestone: ---Keywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 815540 Environment:
Last Closed: 2012-12-14 13:35:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 815540    
Bug Blocks: 752665, 835469, 835471, 1032605    
Attachments:
Description Flags
revert to lokkit patch none

Description Matthew Miller 2012-12-10 17:04:23 UTC 
The plan at http://fedoraproject.org/wiki/Features/firewalld-default is for FirewallD to be the default for F18, but for the static firewall with system-config-firewal/lokkit to be supported at least through F19, with a plan for conversion after that.

Anaconda has been changed over to use the new system entirely. We need to have a fallback when firewalld is not available.

There are a number of approaches to take here:

1) Write some agnostic wrapper that calls either lokkit or firewall-offline-cmd, or else extend lokkit to *be* that wrapper.

2) Put a kludge into the code so lokkit will be called if firewall-offline-cmd is not found.

3) If firewalld isn't found, log a warning but continue, allowing users to set up the system statically by hand if need be. (And document this in the release notes!)


#1 seems best but too much work without further F18 delay;

#2 is ugly but but nicer for users than #3; and

#3 would be the least effort and therefore is probably the best choice at this point.
Comment 1 Matthew Miller 2012-12-10 17:06:55 UTC 
See also bug #884878 for same code in livecd-tools, used by appliance creator and friends.
Comment 2 Matthew Miller 2012-12-11 20:44:24 UTC 
https://fedorahosted.org/fesco/ticket/973#comment:21

FirewallD author suggests that the current correct behavior is to use lokkit and firewalld will handle the conversion if installed.
Comment 3 Bill Nottingham 2012-12-11 20:47:50 UTC 
... and if it's not installed, there will be no active firewall?
Comment 4 Matthew Miller 2012-12-11 21:39:03 UTC 
(In reply to comment #3)
> ... and if it's not installed, there will be no active firewall?

We've still got the old scripts in the "iptables-services" package.
Comment 5 Bill Nottingham 2012-12-11 21:57:19 UTC 
Which will never be installed, except by explicit request. To be clear, what I'm referring to here is that right now the changes proposed here change it from always having a firewall of some sort active, to having *none* in the minimal install. This is a regression from prior releases, and putting iptables-services back in the minimal install is likely to make it *more* confusing.
Comment 6 Brian Lane 2012-12-11 22:09:18 UTC 
Created attachment 661709 [details]
revert to lokkit patch
Comment 7 Thomas Woerner 2012-12-12 11:27:08 UTC 
Bill: You are right. This is indeed a regression.

After thinking about this a bit more, I think that the patch in comment 6 should not get applied. Not having a firewall in minimal is not good. Using different firewalls in minimal and other installations is also not good.
Comment 8 Thomas Woerner 2012-12-12 13:42:12 UTC 
I would prefer to have firewalld also in minimal and to fix pygobject3 to reduce the requirements.
Comment 9 Matthew Miller 2012-12-12 15:21:25 UTC 
It would have been nice to have a plan for this from the beginning, but that's water under the bridge. I'm not particularly excited about any of the options at this point, but making the feature go from the accepted make-it-default to much more controversial mandatory just because we hit a release deadline seems like an end-run around the process.

But, that said: it's my understanding that if the systemd unit for FirewallD has "Conflicts=iptables.service" and "After=iptables.service", they can both be installed and firewalld will take over from the former once started. So I don't think that's so bad, especially if, as Thomas says, FirewallD will import/inherit the traditional configuration.
Comment 10 Thomas Woerner 2012-12-12 15:41:03 UTC 
Firewalld has a tool to convert these settings. It is not doing this automatically.
Comment 11 Thomas Woerner 2012-12-14 12:41:25 UTC 
Since the pygobject3 dependency problem has been fixed, this bug should be closed and the patch should be reverted to have a firewall even in minimal installations. See FESCo ticket 973.
Comment 12 Brian Lane 2012-12-14 13:35:37 UTC 
This patch was never applied, so closing. Thanks!