[Bug 1118044] New: After upgrade of Tumbleweed 20180310 -> 20181129 the firewall (SuSEfirewall2) prevents ssh login
http://bugzilla.suse.com/show_bug.cgi?id=1118044 Bug ID: 1118044 Summary: After upgrade of Tumbleweed 20180310 -> 20181129 the firewall (SuSEfirewall2) prevents ssh login Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Upgrade Problems Assignee: bnc-team-screening@forge.provo.novell.com Reporter: okurz@suse.com QA Contact: jsrain@suse.com Found By: --- Blocker: --- ## Observation In an older installation of openSUSE Tumbleweed the firewall is still "SuSEfirewall2". After upgrading the system to a more recent version the firewall does not have proper rules for ssh login which was previously working and configured accordingly. `SuSEfirewall2 start` shows the following errors: ``` <38>Dec 1 19:02:10 SuSEfirewall2[7081]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... <38>Dec 1 19:02:10 SuSEfirewall2[7081]: using default zone 'ext' for interface ens3 /usr/bin/stat: cannot stat '/etc/sysconfig/SuSEfirewall2.d/services/sshd': No such file or directory Cannot stat file /etc/sysconfig/SuSEfirewall2.d/services/sshd to be sourced /usr/bin/stat: cannot stat '/usr/share/SuSEfirewall2/services/sshd': No such file or directory Cannot stat file /usr/share/SuSEfirewall2/services/sshd to be sourced <36>Dec 1 19:02:10 SuSEfirewall2[7081]: Warning: config 'sshd' not available <38>Dec 1 19:02:11 SuSEfirewall2[7081]: Firewall rules successfully set ``` ## Problem I assume that that more definition files were removed over time but the firewall is still the old one. ## Workaround I guess disabling that firewall and selecting firewalld will work but needs to be configured without being able to migrate easily in this state. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118044
Chenzi Cao
http://bugzilla.suse.com/show_bug.cgi?id=1118044
http://bugzilla.suse.com/show_bug.cgi?id=1118044#c1
--- Comment #1 from Matthias Gerstner
From the side of SuSEfirewall2 there is little I can do. The service definitions are provided by the other packages and there are no hard coded ones found in there.
You could either ask the openssh maintainers to keep this service file packaged a while longer for reasons of backwards compatibility. Or SuSEfirewall2 could take over ownership of this file. But this creates other troubles like a possible conflict between SuSEfirewall2 and openssh. Or do you see any other approaches to fix this? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118044
http://bugzilla.suse.com/show_bug.cgi?id=1118044#c2
--- Comment #2 from Oliver Kurz
Or do you see any other approaches to fix this?
Yes, in my limited understanding I assume that inter-package version-specific dependencies should be able to solve it. SuSEfirewall2 and openssh as packages do have some inter-dependencies which should be encoded accordingly. In this case I assume that SuSEfirewall2 would require an older version of openssh and would cause a conflict or recommend to uninstall SuSEfirewall2 on upgrade. Then also SuSEfirewall2 should not just be silently uninstalled but some "openSUSE" pattern or so would require "any firewall" or at least "recommend" it and firewalld would provide that "firewall" capability with according user information if no automatic migration can be provided. We can not go on endlessly having SuSEfirewall2 installed on older openSUSE Tumbleweed installations. If some obvious error would be presented to the admin that an upgrade can not be conducted until SuSEfirewall2 is removed that sounds more save. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118044
http://bugzilla.suse.com/show_bug.cgi?id=1118044#c3
--- Comment #3 from Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1118044
http://bugzilla.suse.com/show_bug.cgi?id=1118044#c4
Matthias Gerstner
http://bugzilla.suse.com/show_bug.cgi?id=1118044
http://bugzilla.suse.com/show_bug.cgi?id=1118044#c5
Vítězslav Čížek
Adding the openssh maintainer. Could you reinstate the SuSEfirewall2 service for openssh to keep it working? Otherwise I could add it to the SuSEfirewall2 package but that would complicate things from the packaging side.
We can do that. Pedro, could you please take care of putting the SuSEfirewall2 service back to Factory openssh? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1118044
http://bugzilla.suse.com/show_bug.cgi?id=1118044#c6
Vítězslav Čížek
http://bugzilla.suse.com/show_bug.cgi?id=1118044
Pedro Monreal Gonzalez
http://bugzilla.suse.com/show_bug.cgi?id=1118044
Pedro Monreal Gonzalez
participants (1)
-
bugzilla_noreply@novell.com