Bug 1125775 - firewalld missing python firewall
firewalld missing python firewall
Status: RESOLVED WORKSFORME
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
x86-64 Linux
: P5 - None : Normal (vote)
: ---
Assigned To: Michał Rostecki
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-18 12:52 UTC by Olaf Hering
Modified: 2021-04-07 10:05 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Olaf Hering 2019-02-18 12:52:53 UTC
Tumbleweed  20181130-0 -> 20190214-0
firewalld 0.6.3-1.1 -> 0.6.3-2.2
apache2 2.4.37-2.1 -> 2.4.38-1.1

(3856/5676) Installing: apache2-2.4.38-1.1.x86_64 .[done]
Additional rpm output:
Updating /etc/sysconfig/apache2 ...
Running in chroot, ignoring request: daemon-reload
Traceback (most recent call last):
  File "/usr/bin/firewall-cmd", line 31, in <module>
    from firewall.client import FirewallClient, FirewallClientIPSetSettings, \
ModuleNotFoundError: No module named 'firewall'
Running in chroot, ignoring request: daemon-reload
Requesting apache restart (all instances)

Might be just a missing or incomplete Requires(pre) in apache2 or firewalld.
Comment 1 Olaf Hering 2019-02-18 13:38:01 UTC
2019-02-18 12:48:51|install|apache2-example-pages|2.4.38-1.1|x86_64||oss
2019-02-18 13:01:48|install|apache2-utils|2.4.38-1.1|x86_64||oss
# 2019-02-18 13:03:00 apache2-2.4.38-1.1.x86_64.rpm installed ok
# Updating /etc/sysconfig/apache2 ...
#   File "/usr/bin/firewall-cmd", line 31, in <module>
#     from firewall.client import FirewallClient, FirewallClientIPSetSettings, \
# ModuleNotFoundError: No module named 'firewall'
2019-02-18 13:03:00|install|apache2|2.4.38-1.1|x86_64||oss
2019-02-18 13:03:31|install|python3-firewall|0.6.3-2.2|noarch||oss
# 2019-02-18 13:03:40 apache2-prefork-2.4.38-1.1.x86_64.rpm installed ok
2019-02-18 13:03:40|install|apache2-prefork|2.4.38-1.1|x86_64||oss
2019-02-18 13:04:03|install|apache2-mod_dnssd|0.6-28.5|x86_64||oss
# 2019-02-18 13:04:48 firewalld-0.6.3-2.2.noarch.rpm installed ok
# Updating /etc/sysconfig/firewalld ...
2019-02-18 13:04:48|install|firewalld|0.6.3-2.2|noarch||oss
2019-02-18 13:10:20|install|yast2-firewall|4.1.10-1.1|noarch||oss
Comment 2 Petr Gajdos 2019-02-19 07:58:40 UTC
I guess firewalld has to depend on python-firewall?
Comment 3 Petr Gajdos 2019-02-25 09:19:40 UTC
Reassigning as I think it is not issue in apache2 package. In case I am wrong, please reassign back (pointer needed).
Comment 4 Michał Rostecki 2019-02-25 13:54:02 UTC
(In reply to Petr Gajdos from comment #2)
> I guess firewalld has to depend on python-firewall?

It already depends on python3-firewall.

Please see the line 58:
https://build.opensuse.org/package/view_file/openSUSE:Factory/firewalld/firewalld.spec?expand=1
Comment 5 Michał Rostecki 2019-02-25 13:59:17 UTC
Alright, the issue is a bit deeper.

apache2 depends on firewall-macros. firewall-macros is a part of firewalld spec, but it does not require firewalld to be installed. Which is bad, because firewalld macros call firewalld. I need to add that dependency.
Comment 6 Michał Rostecki 2019-02-25 14:39:52 UTC
https://build.opensuse.org/request/show/678933
Comment 7 Michał Rostecki 2019-02-25 14:49:06 UTC
Olaf, as a temporary workaround, please ensure that firewalld and python3-firewall packages are installed. If not, please install them.
Comment 8 Dominique Leuenberger 2019-03-28 14:07:00 UTC
(In reply to Michał Rostecki from comment #5)
> Alright, the issue is a bit deeper.
> 
> apache2 depends on firewall-macros. firewall-macros is a part of firewalld
> spec, but it does not require firewalld to be installed. Which is bad,
> because firewalld macros call firewalld. I need to add that dependency.

That's actually not exactly true:

Every package that BuildREquires and uses firewall-macros expands adds them expanded into the .rpm in the end. only THAT rpm will then have a dependency on firewalld (in fact, it should be Requires(post) on the one that expanded the sources)

In plus, the firewall-macro is resilient against the absence of firewall-cmd - as it checks for its presence before calling it.

Please revert this dependency addition, as it even results in a build cycle in Factory now (NetworkManager, apache2, apparmor, newt)
Comment 9 Dominique Leuenberger 2019-03-28 14:21:05 UTC
To help understand the issue:

For the transaction to be built up, there is no dependency between apache2 and firewalld directly - In Olaf's setup, the two simply happened to be in a transaction by coincidence - and together with firewalld, also python3-firewall (as a dep to firewalld)

Now,

* firewalld requires python3-firewall for runtime - that's given by the specific Requires
* For zypp the 'runtime' provides for any given package must be satisfied AT THE END of the transaction - which it is: all deps were marked for install
* Now, apache2 has a script embedded (expansion happened at build time, bot runtime, hence the dep from firewall-macros tof firewalld is wrong) - but depending on the order of installation of the packages, this might work, skip execution of firewall-cmd or fail

In order to help zypp produce a valid transaction, that does not randomly fail, apache2 would need to specify that it either expects firealld to be present for its post script (Requires(post): firewalld) or that it at least gives a hint that 'if firewalld is part of the same transaction, it shall be installed/usable prior to apache2', using OrderWithRequires(post): firewalld
Comment 10 Michał Rostecki 2020-04-16 21:28:30 UTC
Does anyone still see that issue? The main firewalld package depends on python3-firewalld in Tumbleweed, Leap 15.1 and Leap 15.2. I see no possibility of python3-firewalld missing if firewalld is installed.

Feel free to reopen if I'm wrong.