|
Bugzilla – Full Text Bug Listing |
| Summary: | yast2-dns-server does not recognize firewalld zones - uses public | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Forgotten User vwtNYXcjMq <forgotten_vwtNYXcjMq> |
| Component: | YaST2 | Assignee: | YaST Team <yast-internal> |
| Status: | RESOLVED WONTFIX | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | forgotten_vwtNYXcjMq, kanderssen, mchandras, stefan.schaefer, wicked-maintainers |
| Version: | Leap 15.0 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://trello.com/c/Gpk6amLi | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | YaST Logs | ||
|
Description
Forgotten User vwtNYXcjMq
2018-07-04 17:53:46 UTC
I will try to reproduce it, although it would be nice to have YaST logs as described here (https://en.opensuse.org/openSUSE:Report_a_YaST_bug) In general, YaST modules read and write the permanent configuration instead of the running one. When the interface is moved from the "public" to the "external" in YaST, we write the ifcfg file and then we restart the network. When wicked applies the configuration it does a firewalld-cmd --zone=external --change-interface=$interface_name That will modify the configuration only in the running state but will not make it permanent. Markos and Marius, would it be reasonable to do also a --permanent write, or at least a --permanent write and then a reload in wicked? Created attachment 776236 [details]
YaST Logs
The place I actually caught the issue was when I started YaST in ncurses and went: Network Services->DNS Server The Startup screen under Firewall Details lists the interface as "Interface is not Assigned". This made me look around. Even when configured, and rebooted I still see that message. I will add it our current Trello Board, in order to prioritize it during next sprints. Just adding a little more info in case it helps. yast2-dhcp-server has a similar issue where it seems to not read the ifcfg-* file even though the the interface has been assigned in the wicked network card interface (external in my case). The interesting part is that it pops-up a window (ncurses again) where it states: Network interface eth0 is not mentioned in any firewall zone. Run YaST firewall configuration to assign it to a zone. Not reading the ifcfg-* file might be a bug (your call), but it is a pretty elegant solution that maybe could be re-utilized in the yast2-dns-server, even if short-term until the final fix is decided on. I am happy to file another bug report on yast2-dhcp-server if you want me to. Just let me know. You know your workflow better than I do. (In reply to David Chewning from comment #6) > Just adding a little more info in case it helps. > > yast2-dhcp-server has a similar issue where it seems to not read the ifcfg-* > file even though the the interface has been assigned in the wicked network > card interface (external in my case). The interesting part is that it > pops-up a window (ncurses again) where it states: > > Network interface eth0 is not mentioned in any firewall zone. Run YaST > firewall configuration to assign it to a zone. > > Not reading the ifcfg-* file might be a bug (your call), but it is a pretty > elegant solution that maybe could be re-utilized in the yast2-dns-server, > even if short-term until the final fix is decided on. > > I am happy to file another bug report on yast2-dhcp-server if you want me > to. Just let me know. You know your workflow better than I do. It is not needed, you will face the same problem in any module that is using the widget for opening firewall ports for a given service. As I described, YaST firewalld library relies on the permanent configuration, so when the network configuration is written, we just modify the ifcfg-files and restart the network. Then, wicked change the interfaces zones in the running instance but not make the config permanent. From that moment, if firewalld is restarted or if any YaST module read the firewalld config the changes will be lost. Please, do not remove the needinfo flag, as I added wicked and firewalld maintainers for giving also their opinion about the best way to handle it. (In reply to Knut Alejandro Anderssen González from comment #2) > In general, YaST modules read and write the permanent configuration instead > of the running one. > > When the interface is moved from the "public" to the "external" in YaST, we > write the ifcfg file and then we restart the network. > > When wicked applies the configuration it does a > > firewalld-cmd --zone=external --change-interface=$interface_name > > That will modify the configuration only in the running state but will not > make it permanent. > > > Markos and Marius, would it be reasonable to do also a --permanent write, or > at least a --permanent write and then a reload in wicked? I think it would be fine. There is also the 'firewall-cmd --runtime-to-permanent' option to write the entire runtime configuration to the permanent xml files. yast2-dns-server is now dropped in TW. Closing. |