Bug 1200248 - firewalld not in YaST yet needed to enable firewall in the installer [MicroOS]
firewalld not in YaST yet needed to enable firewall in the installer [MicroOS]
Status: CONFIRMED
: 1200741 (view as bug list)
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: YaST2
Current
x86 openSUSE Tumbleweed
: P5 - None : Minor (vote)
: ---
Assigned To: YaST Team
Jiri Srain
https://trello.com/c/dpNHXKsH/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-06 11:29 UTC by Marcel Peters
Modified: 2022-06-21 14:11 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcel Peters 2022-06-06 11:29:12 UTC
When trying to enable the firewall in the installer it throws an error 'firewalld needs to be installed'. However, there is no firewalld in the repo coming with the ISO.
Comment 1 Imobach Gonzalez Sosa 2022-06-06 13:59:35 UTC
Hi Marcel,

Which installation media are you using? I am trying openSUSE-MicroOS-DVD-x86_64-Snapshot20220414-Media.iso and it seems to work.

Which options have you selected? Would it be possible to attach logs?
Comment 2 Marcel Peters 2022-06-06 14:02:04 UTC
Hi Imobach,

I used the latest snapshot (June 4th)
I installed it without firewall enabled and didn’t keep any logs.
Comment 3 Imobach Gonzalez Sosa 2022-06-06 14:26:58 UTC
OK, it looks like I tried the wrong version. I will check it again.
Comment 4 Imobach Gonzalez Sosa 2022-06-06 15:41:57 UTC
Hi,

I can confirm the issue in the latest snapshot (June 5th). Once you enable the firewall, you get the following message in the "Software" section:

"""
These packages need to be selected to install: firewalld
Please manually select the needed items to install.
"""

And I can confirm that the package is missing (only keyline-firewalld, but the firewalld itself is missing).
Comment 5 Marcel Peters 2022-06-06 16:11:16 UTC
Great!
Can I somehow help to get it fixed for the next Snapshot?

Cheers!
Comment 6 Imobach Gonzalez Sosa 2022-06-07 10:17:50 UTC
Hi Marcel,

You already did it by reporting the issue. Thanks :-)

Regards,
Imo
Comment 7 Imobach Gonzalez Sosa 2022-06-08 07:58:03 UTC
Hi Richard,

Do you know why the firewalld package is missing?

Thanks in advance!

Regards,
Imo
Comment 8 Richard Brown 2022-06-09 11:15:16 UTC
(In reply to Imobach Gonzalez Sosa from comment #7)
> Hi Richard,
> 
> Do you know why the firewalld package is missing?
> 
> Thanks in advance!
> 
> Regards,
> Imo

IT's not missing..it was never there and was never meant to be there

MicroOS does not support customising the firewall
Comment 9 Marcel Peters 2022-06-09 12:03:12 UTC
(In reply to Richard Brown from comment #8)
> (In reply to Imobach Gonzalez Sosa from comment #7)
> > Hi Richard,
> > 
> > Do you know why the firewalld package is missing?
> > 
> > Thanks in advance!
> > 
> > Regards,
> > Imo
> 
> IT's not missing..it was never there and was never meant to be there
> 
> MicroOS does not support customising the firewall

Hey Richard Brown,

So how should we deal with the option to enable the fw if it throws an error?
You are saying the package should not be there but the option depends on it. Perhaps remove the option for now or should we think about another firewall to handle this?

Cheers
Comment 10 Richard Brown 2022-06-09 12:22:07 UTC
(In reply to Marcel Peters from comment #9)
> (In reply to Richard Brown from comment #8)
> > (In reply to Imobach Gonzalez Sosa from comment #7)
> > > Hi Richard,
> > > 
> > > Do you know why the firewalld package is missing?
> > > 
> > > Thanks in advance!
> > > 
> > > Regards,
> > > Imo
> > 
> > IT's not missing..it was never there and was never meant to be there
> > 
> > MicroOS does not support customising the firewall
> 
> Hey Richard Brown,
> 
> So how should we deal with the option to enable the fw if it throws an error?
> You are saying the package should not be there but the option depends on it.
> Perhaps remove the option for now or should we think about another firewall
> to handle this?
> 
> Cheers

I'm saying the option shouldn't be there.

MicroOS doesn't support having a firewall

As a single purpose operating system, running often as a containerhost, the systems IPtables are best managed by the container runtime, not an additional external daemon.
Comment 11 Marcel Peters 2022-06-09 12:23:31 UTC
Yet the installer still does offer it.
I assume this should not be in the installer then?
Comment 12 Richard Brown 2022-06-09 12:24:11 UTC
(In reply to Marcel Peters from comment #11)
> Yet the installer still does offer it.
> I assume this should not be in the installer then?

that would be how I would characterise this bug, yes
Comment 13 Marcel Peters 2022-06-09 12:25:15 UTC
@Imo, can I help here somehow?
Comment 14 Imobach Gonzalez Sosa 2022-06-10 11:38:34 UTC
@Richard OK, it makes sense. Thanks for your explanation. Then we need to offer a way to remove that setting from the installer (we can remove it from the networking proposal via a control.xml option, but not from the security section).

@Marcel I am moving the bug to our queue to plan for it. Thanks a lot for reporting the problem!
Comment 15 Richard Brown 2022-06-21 11:28:46 UTC
*** Bug 1200741 has been marked as a duplicate of this bug. ***
Comment 16 Fabian Vogt 2022-06-21 14:11:55 UTC
IMO having a firewall is totally fine for MicroOS, also especially in the desktop use case. It should be part of the OS and not of the "application side" IMO.

So I propose https://build.opensuse.org/request/show/984199.