Bug 1084177 - SuSEfirewall2 and firewalld conflicting each other
SuSEfirewall2 and firewalld conflicting each other
Status: RESOLVED WORKSFORME
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Network
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Matthias Gerstner
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-03-06 17:42 UTC by Matej Cepl
Modified: 2018-04-03 09:24 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matej Cepl 2018-03-06 17:42:43 UTC
I have installed LEAP 42.3 in my VM and then I have upgraded to Tumbleweed using https://en.opensuse.org/openSUSE:Tumbleweed_upgrade steps. The result was that I had both SuSEfirewall2 and firewalld installed, and they seem to fight each other. When I enabled and started firewalld (using either systemctl or Yast2, it did not make any difference) I ended up on the next reboot with firewalld enabled but dead. Only when I removed SuSEfirewall2, firewalld started to boot up properly (and so I can connect to VM via ssh ;)).

Now I have firewalld-0.5.1-1.1.noarch, and I have removed SuSEfirewall2-3.6.378-1.1.

I guess firewalld should somehow conflict other firewalls, shouldn't it?
Comment 1 Matthias Gerstner 2018-03-07 10:12:11 UTC
Hello and thank you for your report.

Can you please test whether there is a conflict when you enable only one of
the firewall packages?

  root# systemctl disable firewalld
  root# systemctl enable SuSEfirewall2

This should work for SuSEfirewall2, and the other way around for firewalld.

Bsaically both firewallds do not conflict with each other. But they should, of
course, not both be started at the same time.
Comment 2 Matej Cepl 2018-03-08 22:54:16 UTC
(In reply to Matthias Gerstner from comment #1)
> Can you please test whether there is a conflict when you enable only one of
> the firewall packages?
> 
>   root# systemctl disable firewalld
>   root# systemctl enable SuSEfirewall2
> 
> This should work for SuSEfirewall2, and the other way around for firewalld.

OK, I have reinstalled SuSEfirewall2, reproduced the problem, and when I run

systemctl disable SuSEfirewall2
systemctl stop SuSEfirewall2

and then everything works (I don't know actually how to make SuSEfirewall2, not that it matters anymore).

So, I would say that something wrong happened on the upgrade from LEAP to Tumbleweed, and I would say there is something with packaging. Why these two packages shouldn't conflict each other? Is there any possibility somebody would like to have both of these even installed?
Comment 3 Matthias Gerstner 2018-03-09 08:42:56 UTC
Thanks for testing this. It is as I expected.

In packaging we always try to avoid adding Conflicts as outlined here:

https://en.opensuse.org/openSUSE:Packaging_conflicts

I will look into this and discuss it. Maybe a conflict on systemd level would
be enough, because both packages can very well be installed at the same time.
They just shouldn't run at the same time.

I will give you an update what we will do, the conflict will be resolved in
some way.
Comment 4 Matej Cepl 2018-03-09 08:54:09 UTC
(In reply to Matthias Gerstner from comment #3)
> In packaging we always try to avoid adding Conflicts as outlined here:

Well, I was thinking more in terms of https://fedoraproject.org/wiki/Packaging:Guidelines#Renaming.2FReplacing_Existing_Packages (sorry, I don't know what's the OpenSUSE policy on this topic), which I believe is acceptable use of Conflicts/Obsoletes tags, but whatever you think is proper.
Comment 5 Matthias Gerstner 2018-03-09 11:13:44 UTC
After looking a bit into this it will become a Conflict: after all I think.
Modelling it on systemd service unit level could lead to an undefined result.

Strictly speaking SuSEfirewall2 is not replaced by firewalld, just the default
firewall changed. Users that want to use SuSEfirewall2 on Tumbleweed are still
able to do so. At the moment allowing both packages to be installed could ease
the migration.

Since we want to avoid trouble after upgrading to Tumbleweed the Conflict:
still seems the easiest solution. I will try that approach and hope that
nothing else breaks by this.

In the end SuSEfirewall2 will probably be deleted from openSUSE:Factory but at
the moment I want to keep both available until the integration of YaST with
firewalld is complete and stable.
Comment 6 Swamp Workflow Management 2018-03-09 11:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1084177) was mentioned in
https://build.opensuse.org/request/show/584969 Factory / SuSEfirewall2
Comment 7 Matthias Gerstner 2018-03-13 16:42:49 UTC
Could you please tell me whether you did an offline upgrade or an online
upgrade to Tumbleweed that resulted in this firewall malfunction?
Comment 8 Matej Cepl 2018-03-13 17:20:40 UTC
(In reply to Matthias Gerstner from comment #7)
> Could you please tell me whether you did an offline upgrade or an online
> upgrade to Tumbleweed that resulted in this firewall malfunction?

Online, just using zypper.
Comment 9 Matthias Gerstner 2018-03-14 11:18:31 UTC
Thank you for the information.

As I feared in the beginning, the Conflict is now causing troubles for other
users. See bug 1085260. A couple of issues around the migration path have been
uncovered.
Comment 10 Matthias Gerstner 2018-03-14 11:26:41 UTC
YaST maintainers, I suspect that some mechanism in YaST caused the firewalld service to be enabled after the upgrade. firewalld is not enabled via systemd-presets.

The situation that both firewalls are enabled automatically during upgrades needs to be avoided. Can you add some logic to yast2-firewall or other involved packages that makes sure that SuSEfirewall2 is disabled (if applicable) before firewalld is enabled?
Comment 11 Lukas Ocilka 2018-03-14 14:10:45 UTC
(In reply to Matthias Gerstner from comment #10)
> YaST maintainers, I suspect that some mechanism in YaST caused the firewalld
> service to be enabled after the upgrade. firewalld is not enabled via
> systemd-presets.

Please, see comment #8: Online, just using zypper.

Doesn't look like YaST is involved...
Comment 12 Matthias Gerstner 2018-03-14 17:07:48 UTC
(In reply to locilka@suse.com from comment #11)
> Please, see comment #8: Online, just using zypper.

Yes I am aware of that. But after the upgrade by using YaST it could have
happened.
Comment 13 Matej Cepl 2018-03-14 19:46:22 UTC
(In reply to Matthias Gerstner from comment #12)
> (In reply to locilka@suse.com from comment #11)
> > Please, see comment #8: Online, just using zypper.
> 
> Yes I am aware of that. But after the upgrade by using YaST it could have
> happened.

Actually, I am not even sure I have SuSEFirewall2-yast module installed. When I tried to check the state of firewall in Yast I have found only firewalld module (which was frozen; obviously, because firewalld itself was not running).
Comment 14 Matthias Gerstner 2018-03-15 13:19:16 UTC
Well I tried an upgrade from Leap 42.3 to Tumbleweed now and couldn't find any
situation that could result both firewalls being enabled implicitly.

Did you have firewalld installed before upgrading to Tumbleweed? Because it
wasn't even installed by way of the upgrade.
Comment 15 Matej Cepl 2018-03-15 13:59:27 UTC
(In reply to Matthias Gerstner from comment #14)
> Did you have firewalld installed before upgrading to Tumbleweed? Because it
> wasn't even installed by way of the upgrade.

I am not certain, it is possible, but I cannot recall I would be doing anything significant with that Leap installation before upgrading to Tumbleweed.
Comment 16 Markos Chandras 2018-03-19 11:08:48 UTC
Would it be possible for Yast2 to help a bit here by ensuring that SF2 is disabled/stopped as well? In order for firewalld to work properly, SF2 must be stopped (and disabled) to avoid systemd surprises.
Comment 17 Swamp Workflow Management 2018-03-19 14:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1084177) was mentioned in
https://build.opensuse.org/request/show/588606 Factory / SuSEfirewall2
Comment 19 Michal Filka 2018-03-20 09:08:35 UTC
(In reply to Markos Chandras from comment #16)
> Would it be possible for Yast2 to help a bit here by ensuring that SF2 is
> disabled/stopped as well? In order for firewalld to work properly, SF2 must
> be stopped (and disabled) to avoid systemd surprises.

yast cannot help here much bcs:
1) in this case upgrade was done using zypper
2) yast do not provide any UI for configuring firewall anymore

Only what we can do is too tweak yast driven upgrade
Comment 20 Matthias Gerstner 2018-04-03 09:22:12 UTC
Since we cannot reproduce the issue there is currently nothing I can do. When
you can provide a straight reproducer then we could look at the issue again.

Since the rpm level conflict between SuSEfirewall2 and firewalld breaks the
migration path this approach had to be rolled back again.

The conflict on systemd level is in place but does not work very well. See
comment 2 item 2).

Closing as WORKSFORME.
Comment 21 Matthias Gerstner 2018-04-03 09:24:48 UTC
Please also see bug 1085260 for more details on the issue.