|
Bugzilla – Full Text Bug Listing |
| Summary: | Firewall configuration is ignored | ||
|---|---|---|---|
| Product: | [SUSE Linux Enterprise Desktop] Public Beta SUSE Linux Enterprise Desktop 15 SP2 | Reporter: | David Tomasek <d.tomasek> |
| Component: | YaST2 | Assignee: | E-mail List <yast2-maintainers> |
| Status: | RESOLVED FIXED | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | d.tomasek, dimstar, jreidinger, kanderssen, schubi |
| Version: | Public RC2 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | SLED 15 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
AutoYaST profile with <firewall> section
Log generated via save_y2logs |
||
Can you please attach yast logs from your attempt (generated by save_y2logs script)? As there are some conditions which affects how it is installed and I need to check it. Thanks Created attachment 842734 [details]
Log generated via save_y2logs
Ah, thanks for logs. I think it is clear now. Issue is that firewall configuration happens in second stage and your autoyast profile disable explicitely second stage, so it is not configured. So if you change or remove <second_stage config:type="boolean">false</second_stage> it should work, if not, then please attach fresh logs. Thanks We have verified that there is an error when the firewall is configured. IN SLE-15-GA the finish client was not used in case of auto-installation, but it was brought back in SP2. https://github.com/yast/yast-firewall/pull/127 The service configuration should be skipped in case of AY and should be configured properly during the second stage, but the point is that it is not and the service is configured according to the proposal settings. https://github.com/yast/yast-firewall/pull/127/files#diff-4dfd6005cfa95ae874b74358a92a3677b3c1031692635f14bc6e5acd79f2b728R76 We will fix check verifying that the settings are write only in Yast::Mode.mode == "installation" fix is now under review https://github.com/yast/yast-firewall/pull/139 it will need installer self-update to be applied. But even with fix, to apply firewall configuration from autoyast profile, second stage is needed. The change just keep status quo, which does not enable firewall after first stage. I am not sure, if this is bug or not, but adding <second_stage config:type="boolean">true</second_stage> fixed the issue. Thank you. (In reply to David Tomasek from comment #7) > I am not sure, if this is bug or not, but adding <second_stage > config:type="boolean">true</second_stage> fixed the issue. Thank you. OK, let me explain it. Firewall configuration is done in second stage, so if second stage is set to false, it will not be configured. But in first stage we are writting firewall for common installation ( not auto one ) and here we have regression that it is now wrongly proposed also for autoinstallation, so it ignore settings in autoyast profile and enable firewall always when it is installed. That is what we are fixing by that change in comment#5 OK, so maintenance update created and fix also for SP3 is done. So lets close it. Thanks for report. Be aware of https://bugzilla.opensuse.org/show_bug.cgi?id=1178050 An autoyast profile that does not explicitly firewall to be enabled does result on a system without firewall - imho a regression (In reply to Dominique Leuenberger from comment #11) > Be aware of https://bugzilla.opensuse.org/show_bug.cgi?id=1178050 > > An autoyast profile that does not explicitly firewall to be enabled does > result on a system without firewall - imho a regression I have not that opinion. It will be set in the second stage to the settings created by the proposal if it has not been defined in the AY configuration file. If the second stage is disabled not all modules will be configured (e.g. the firewall). Switching off the second stage will be done manually and for special usecases only. So this is not the common way. SUSE-RU-2020:3365-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1177778 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): yast2-firewall-4.2.5-3.3.4 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-RU-2020:2003-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1177778 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): yast2-firewall-4.2.5-lp152.2.3.1 SUSE-RU-2021:0609-1: An update that has one recommended fix and contains three features can now be installed. Category: recommended (moderate) Bug References: 1177778 CVE References: JIRA References: SLE-17307,SLE-17342,SLE-17427 Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): yast2-firewall-4.2.6-3.6.1, yast2-security-4.2.19-3.16.3 SUSE Linux Enterprise Installer 15-SP2 (src): yast2-security-4.2.19-3.16.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-RU-2021:0364-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1177778 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): yast2-firewall-4.2.6-lp152.2.6.1, yast2-security-4.2.19-lp152.2.12.1 |
Created attachment 842719 [details] AutoYaST profile with <firewall> section Disabling firewall in AutoYaST <firewall> section results in firewalld.service enabled and running after installation. There were no issues in SLE15SP0 with same <firewall> settings.