Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 815540 - anaconda vs. firewalld
Summary: anaconda vs. firewalld
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 19
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 822290 (view as bug list)
Depends On:
Blocks: 835469 835471 885807 1032605
TreeView+ depends on / blocked
 
Reported: 2012-04-23 19:33 UTC by Bill Nottingham
Modified: 2014-03-17 03:30 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 835469 835471 885807 (view as bug list)
Environment:
Last Closed: 2013-05-21 22:03:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
patch to allow cmdline args (deleted)
2012-10-01 23:51 UTC, Brian Lane 		no flags Details | Diff
View All

Description Bill Nottingham 2012-04-23 19:33:55 UTC 
Description of problem:

From https://fedoraproject.org/wiki/Features/firewalld-default:

An explicit transition is planned after Fedora 18 with dropping support for the static firewall with system-config-firewal/lokkit. A migration from the static firewall model will be needed then. 

anaconda uses system-config-firewall-tui (aka, lokkit) for two things:

1) Setting the SELinux state (enforcing/permissive/disabled)

2) Handling the %firewall kickstart command

Version-Release number of selected component (if applicable):

anaconda master/newui/etc.

How reproducible:

100%

Steps to Reproduce:
1. look at the code
Comment 1 Chris Lumens 2012-05-17 01:53:27 UTC 
*** Bug 822290 has been marked as a duplicate of this bug. ***
Comment 2 Jan Stancek 2012-06-21 15:43:13 UTC 
Is there an estimate when firewall option will be supported?
Can you recommend any workaround?
We are currently hitting this in beaker (with RHEL7 Alpha2), kickstart contains "firewall --disabled", but firewalld is still running and creating rules.
Comment 3 Petr Šplíchal 2012-06-26 08:23:06 UTC 
This is a test blocker for multihost testing, adjusting priority.
Could we get a fix for this soon? Thanks.
Comment 4 Brian Lane 2012-06-26 21:26:46 UTC 
For selinux we can use the selinux python module, dwalsh contributed some code to livecd-tools that does that and we can adapt that for Anaconda.

I've taken a look at firewalld, and as far as I can tell it doesn't have any provisions for generating a configuration in a chroot environment, since it is running as a dbus server. We need to be able to call firewalld in a way that only changes the install target chroot, not the host system's settings.

suggestions from the firewalld developers would be appreciated.
Comment 5 Brian Lane 2012-10-01 23:51:25 UTC 
Created attachment 620072 [details]
patch to allow cmdline args
Comment 6 Fedora Update System 2012-10-18 02:36:08 UTC 
anaconda-18.18-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/anaconda-18.18-1.fc18
Comment 7 Fedora Update System 2012-10-18 15:27:58 UTC 
Package anaconda-18.18-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-18.18-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16402/anaconda-18.18-1.fc18
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-10-20 01:32:00 UTC 
anaconda-18.19-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/anaconda-18.19-1.fc18
Comment 9 Matthew Miller 2012-12-08 03:42:37 UTC 
I think this is where anaconda switched to calling /usr/bin/firewall-offline-cmd, and I think there's been a miscommunication. Note initially this report says that a migration from the static model will happen *after F18*. And in fact, the Feature page now says "after Fedora 19".


I know we're pretty late in the game and I wish I had noticed this earlier.
Comment 11 Matthew Miller 2012-12-10 16:53:49 UTC 
I'm going to clone a new bug from this one for the "accidentally mandatory" issue, and put this back to "on qa".
Comment 12 Adam Williamson 2012-12-11 01:11:45 UTC 
This is pretty old to be ON_QA. What needs determining before it gets closed exactly? I lost track of where we're up to here.
Comment 13 Matthew Miller 2012-12-11 05:03:08 UTC 
(In reply to comment #12)
> This is pretty old to be ON_QA. What needs determining before it gets closed
> exactly? I lost track of where we're up to here.

I dunno. It was ON_QA when I reopened it, so I put it back.
Comment 14 Fedora Update System 2012-12-20 15:24:23 UTC 
anaconda-18.18-1.fc18 has been pushed to the Fedora 18 obsolete repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Orion Poplawski 2013-03-06 18:08:27 UTC 
This is still a problem for me with 18.37.11.  With firewall --disabled, firewalld is still enabled and starting up on the installed system.

09:21:59,552 INFO program: Running... /usr/bin/firewall-offline-cmd --disabled --service=ssh
09:22:00,719 INFO program: Firewall was disabled, unable to convert to zone.
09:22:00,719 INFO program: No changes to default zone needed.

Kickstart has:

firewall --disabled
Comment 16 Fedora End Of Life 2013-04-03 19:48:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 17 Orion Poplawski 2013-05-21 16:18:48 UTC 
Still present in 19.28-1.  I think you need to be running: 

systemctl disable firewalld.service
Comment 18 Brian Lane 2013-05-21 22:03:49 UTC 
Please don't re-open this. It was meant to track the transition to using firewalld. If you have a problem with its behavior please file a new bug with details.

the firewall ks command controls the firewall itself. If you want to disable the service itself you should pass services --disabled=firewalld
Note You need to log in before you can comment on or make changes to this bug.