|
Bugzilla – Full Text Bug Listing |
| Summary: | [Build 27.1] autoyast tests fail with firewalld public zone error | ||
|---|---|---|---|
| Product: | [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 | Reporter: | Sofia Syrianidou <sofia.syrianidou> |
| Component: | YaST2 | Assignee: | Knut Alejandro Anderssen González <kanderssen> |
| Status: | VERIFIED FIXED | QA Contact: | |
| Severity: | Major | ||
| Priority: | P1 - Urgent | CC: | ana.guerrero, dimstar, eugenio.paolantonio, ioannis.bonatakis, kanderssen, qe-virt, riccardo.ceragioli, santiago.zarate, xguo, zluo |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://openqa.suse.de/tests/12636878/modules/installation/steps/9 | ||
| Whiteboard: | |||
| Found By: | openQA | Services Priority: | |
| Business Priority: | Blocker: | Yes | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
y2logs
autoyast profile autoyast profile with no zone settings OpenQA Screenshot: 'firewall-offline-cmd --delete-zone=public' failed |
||
|
Description
Sofia Syrianidou
2023-10-24 10:01:35 UTC
Created attachment 870422 [details]
autoyast profile
Created attachment 870423 [details]
autoyast profile with no zone settings
the attached autoyast profile, has sone settings :
<firewall t="map">
<default_zone>public</default_zone>
<enable_firewall t="boolean">true</enable_firewall>
<log_denied_packets>off</log_denied_packets>
<start_firewall t="boolean">true</start_firewall>
<zones t="list">
<zone t="map">
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list">
<interface>eth0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>public</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
</services>
<short>Public</short>
<target>default</target>
</zone>
</zones>
</firewall>
but we see the same failure in tests with autoyast profiles that don't have zone settings at all. Attached you can find such a profile named as autoyast-ext4.xml
We also see the same error message while saving NFS configuration with yast2-nfs-server module: Openqa Failure: https://openqa.suse.de/tests/12637099#step/yast2_nfs_server/103 The last change in YaST in the firewall-related code is well over one year old, so I have serious doubts if this can possibly be a YaST problem. https://github.com/yast/yast-yast2/tree/master/library/network/src/lib/y2firewall https://github.com/yast/yast-yast2/blob/master/library/network/src/modules/firewalld_wrapper.rb https://github.com/yast/yast-yast2/blob/master/library/network/src/lib/network/firewalld.rb This command is called from here: https://github.com/yast/yast-yast2/blob/SLE-15-SP6/library/network/src/lib/y2firewall/firewalld/api/zones.rb#L47-L49 > def delete_zone(zone) > modify_command("--delete-zone=#{zone}", permanent: !offline?) > end And this is called from only this one place: https://github.com/yast/yast-yast2/blob/SLE-15-SP6/library/network/src/lib/y2firewall/firewalld/api/zones.rb#L43-L49 > def apply_zones_changes! > zones.each do |zone| > api.create_zone(zone.name) unless current_zone_names.include?(zone.name) > zone.apply_changes! if zone.modified? > end > current_zone_names.each do |name| > api.delete_zone(name) if zones.none? { |z| z.name == name } > end > end Firewall section from the first attached AutoYaST profile: > <firewall t="map"> > <default_zone>public</default_zone> > <enable_firewall t="boolean">true</enable_firewall> > <log_denied_packets>off</log_denied_packets> > <start_firewall t="boolean">true</start_firewall> > <zones t="list"> > <zone t="map"> > <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> > <interfaces t="list"> > <interface>eth0</interface> > </interfaces> > <masquerade t="boolean">false</masquerade> > <name>public</name> > <ports t="list"/> > <protocols t="list"/> > <services t="list"> > <service>dhcpv6-client</service> > </services> > <short>Public</short> > <target>default</target> > </zone> > </zones> > </firewall> From the second one: > <firewall> > <enable_firewall config:type="boolean">true</enable_firewall> > <start_firewall config:type="boolean">true</start_firewall> > </firewall> Created attachment 870430 [details]
OpenQA Screenshot: 'firewall-offline-cmd --delete-zone=public' failed
But the 'firewalld' package changed 7 days ago: https://build.suse.de/package/show/SUSE:SLE-15-SP6:GA/firewalld https://build.suse.de/package/view_file/SUSE:SLE-15-SP6:GA/firewalld/firewalld.changes?expand=1 > ------------------------------------------------------------------- > Tue Oct 3 08:08:41 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com> > > - update to v2.0.1 (jsc#PED-5597) > * fix(cli): all --list-all-zones output identical (d30bc61) > * fix(cli): properly show default zone attribute (ea8d9a8) > * fix(cli): properly show active attribute for zones and policies (b202403) > * fix(cli): --get-active-zones should include the default zone (dae9112) > * fix(nftables): always flush main table on start (cd20981) > * fix(runtimeToPermanent): deepcopy settings before mangling (9c53639) > * docs: fix reference to lockdown-whitelist.xml in SYNOPSIS section (1c77205) > * fix(firewall-config): escape markup stored in bindings store (c876fd0) > * fix(tests): avoid deprecated assertRaisesRegexp for assertRaisesRegex (2935119) > * fix(icmp): fix check_icmpv6_name() to use correct IPv6 names (af3c35b) > * fix(ipset): fix configuring IP range for ipsets with nftables (6a050ec) > * fix(ipset): fix configuring "timeout","maxelem" values for ipsets with nftables (7d3340c) > * fix(core): fix exception while parsing invalid "tcp-mss-clamp" in policy (ff61209) > * docs(policy): fix wrong documentation of in man firewalld.policy (21026d9) > * Correct Requires, python3-slip-dbus -> python3-dbus-python > * This is a major release. The major version is being bumped symbolically > to reflect significant changes done in commit f4d2b80 ("fix(policy): > disallow zone drifting"). It does not contain any deliberate breaking changes > * fix(reload): restore policy for old backend if it changed (de85849) > * fix(io): rich: tcp mss: handle value=None (8016f10) > * fix(firewall-config): rich: set destination address (f6641a9) > * fix(policy): mixed IP families in ingress/egress (69ed4d6) > > - removed following patches: > [- 0001-chore-fw_zone-call-permanent-config-checks-at-runtim.patch] > [- 0003-firewall-offline-cmd-fail-fix.patch] > [- 0004-fix_rich_source_address_with_netmask.patch] > [- feature-upstream-new-check-config-1.patch] > [- feature-upstream-new-check-config-2.patch] > > ------------------------------------------------------------------- From y2log: > 2023-10-24 04:57:00 <1> install(4256) [Ruby] modules/Profile.rb(Import):310 > ... > "firewall"=> > { > "default_zone"=>"public", > "enable_firewall"=>true, > "log_denied_packets"=>"off", > "start_firewall"=>true, > "zones"=> > [ > { > "description"=>"For use in public areas...", > "interfaces"=>["eth0"], > "masquerade"=>false, > "name"=>"public", > "ports"=>[], > "protocols"=>[], > "services"=>["dhcpv6-client"], > "short"=>"Public", > "target"=>"default" > } > ] > } > 2023-10-24 05:02:04 <1> localhost(4256) [Ruby] lib/cheetah.rb(record_commands):160 > Executing "firewall-offline-cmd --get-zones". > block dmz docker drop external home internal public trusted > 2023-10-24 05:02:05 <1> localhost(4256) [Ruby] lib/cheetah.rb(record_commands):160 > Executing "firewall-offline-cmd --list-all-zones --verbose". > block > summary: Block > description: Unsolicited incoming network packets are rejected... > target: %%REJECT%% > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > dmz > summary: DMZ > description: For computers in your demilitarized zone... > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: ssh > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > docker > summary: docker > description: All network connections are accepted. > target: ACCEPT > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: docker0 > sources: > services: > ports: > protocols: > forward: no > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > drop > summary: Drop > description: Unsolicited incoming network packets are dropped... > target: DROP > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > external > summary: External > description: For use on external networks. You do not trust the other computers... > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: ssh > ports: > protocols: > forward: yes > masquerade: yes > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > home > summary: Home > description: For use in home areas. You mostly trust the other computers... > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: dhcpv6-client mdns samba-client ssh > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > internal > summary: Internal > description: For use on internal networks. You mostly trust the other computers... > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: dhcpv6-client mdns samba-client ssh > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > public (default) > summary: Public > description: For use in public areas. You do not trust the other computers... > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: dhcpv6-client ssh > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > trusted > summary: Trusted > description: All network connections are accepted. > target: ACCEPT > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > > work > summary: Work > description: For use in work areas. You mostly trust the other computers... > target: default > ingress-priority: 0 > egress-priority: 0 > icmp-block-inversion: no > interfaces: > sources: > services: dhcpv6-client ssh > ports: > protocols: > forward: yes > masquerade: no > forward-ports: > source-ports: > icmp-blocks: > rich rules: > 2023-10-24 05:02:05 <1> localhost(4256) [Ruby] lib/cheetah.rb(record_commands):160 > Executing "firewall-offline-cmd --get-log-denied". > Standard output: off > Status: 0 > . > 2023-10-24 05:02:05 <1> localhost(4256) [Ruby] lib/cheetah.rb(record_commands):160 > Executing "firewall-offline-cmd --get-default-zone". > Standard output: public > Status: 0 > . > 2023-10-24 05:02:05 <1> localhost(4256) [Ruby] lib/cheetah.rb(record_commands):160 > Executing "firewall-offline-cmd --delete-zone\=public". > Error output: BUILTIN_ZONE: 'public' is built-in zone > Status: 23 > . > 2023-10-24 05:02:06 <3> localhost(4256) [Ruby] yast2/execute.rb(rescue in popup_error):235 > Execution of command "[["firewall-offline-cmd", "--delete-zone=public"]]" failed. > Exit code: 23 > Error output: BUILTIN_ZONE: 'public' is built-in zone Sadly, this entire firewall-related code only has one single logging statement: The one that logs the command that is being executed and its output. It does not log anything about its internal status. I can only assume that this newer version of the firewalld package behaves slightly differently, or that its output changed slightly which might make the YaST firewall code fail to parse it or something like that. Knut, please have a look. (In reply to Stefan Hundhammer from comment #10) > Sadly, this entire firewall-related code only has one single logging > statement: The one that logs the command that is being executed and its > output. It does not log anything about its internal status. > > I can only assume that this newer version of the firewalld package behaves > slightly differently, or that its output changed slightly which might make > the YaST firewall code fail to parse it or something like that. That could be the cause of the problem. > > Knut, please have a look. I will do so Hm... in comment #9: public (default) On my Leap 15.5: sudo firewall-offline-cmd --list-all-zones --verbose public Does it now parse "public (default)" as the name of that zone? *** Bug 1216536 has been marked as a duplicate of this bug. *** This bug blocks majority of openqa virtualization tests for sle15sp6 Build27.1. problem persists even if autoyast doesnt have any firewalld settings or even when the package is not in the <packages>. not seen in normal installation even if it is not autoyast problem It was also happening on openQA Staging: https://openqa.suse.de/tests/12639729#step/yast2_nfs_server/38 I will take care providing a fix for the parser ASAP FWIW, a couple more of instances of this issue triggered by an update of firewalld: https://openqa.opensuse.org/tests/3670600#step/yast2_nfs_server/39 https://openqa.opensuse.org/tests/3670608#step/installation/45 A fix by Knut is on the way: https://github.com/yast/yast-yast2/pull/1294 This will appear in SLE-15-SP6 as yast2-4.6.4. SR to SLE-15-SP6: https://build.suse.de/request/show/311556 PR for master / Factory: https://github.com/yast/yast-yast2/pull/1295 (yast2-5.0.2) Please test as soon as it arrives in SLE-15-SP6. SR to OBS / Factory: https://build.opensuse.org/request/show/1120290 According to the latest test it looks like QA is green again ;) https://openqa.suse.de/tests/latest?arch=x86_64&distri=sle&flavor=Online&machine=64bit&test=autoyast_create_hdd_gnome&version=15-SP6# Indeed, the current autoyast failures seem to be related to the disk probing fix not being included in the last builds. (In reply to Knut Alejandro Anderssen González from comment #23) > According to the latest test it looks like QA is green again ;) > > https://openqa.suse.de/tests/ > latest?arch=x86_64&distri=sle&flavor=Online&machine=64bit&test=autoyast_creat > e_hdd_gnome&version=15-SP6# The build is modified to run without firewalld afaik. The fix is not in this build. rpm -q --changelog yast2 doesnt have the bug and yast2 version is different (4.5.25) I confirm that the current build 28.1 has the old firewalld version, we re-staged the new version in SP6's Staging Y along the fixed yast2 package and it looks that the fix is working: https://openqa.suse.de/tests/12679991#step/yast2_bootloader/9 Thank you very much! Sorry, meant to linked the test for the other bug, the correct one would be: https://openqa.suse.de/tests/12679990#step/installation/7 |