[Bug 1043446] New: AutoYaST does not open ssh port in SuSEfirewall2 on first boot
http://bugzilla.suse.com/show_bug.cgi?id=1043446 Bug ID: 1043446 Summary: AutoYaST does not open ssh port in SuSEfirewall2 on first boot Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: x86-64 OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Installation Assignee: yast2-maintainers@suse.de Reporter: jmader2@gmu.edu QA Contact: jsrain@suse.com Found By: --- Blocker: --- autoinst.xml, <firewall> <FW_CONFIGURATIONS_EXT>sshd avahi</FW_CONFIGURATIONS_EXT> <enable_firewall config:type="boolean">true</enable_firewall> <start_firewall config:type="boolean">true</start_firewall> </firewall> <services-manager> <services> <enable config:type="list"> <service>sshd</service> </enable> </services> </services-manager> this is not the case in Leap 42.3-Build0270 on first boot, traffic to 22/tcp is dropped. Jun 08 13:06:21 linux kernel: SFW2-INext-DROP-DEFLT IN=em1 OUT= ... LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=929175 PROTO=TCP SPT=58096 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405A0010303050101080A2553A0F0000000000402000 Note, the installation summary screen in 42.3 continues to erroneously show that the ssh port will be blocked and ssh service will be disabled just like it does in 42.2, but in 42.2 ssh is open and enabled on first boot after installation. If the service SuSEfirewall2 is stopped then started, the correct entries will be added to the Chain input_ext (1 references) ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:mdns but they are missing after first boot. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c1 Michal Filka <mfilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmader2@gmu.edu, | |mfilka@suse.com Flags| |needinfo?(jmader2@gmu.edu) --- Comment #1 from Michal Filka <mfilka@suse.com> --- Thanks for report. Could you please attach yast2 logs which cover first boot issue? Pls see https://en.opensuse.org/openSUSE:Report_a_YaST_bug -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 Michal Filka <mfilka@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|yast2-maintainers@suse.de |yast-internal@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c2 Jason Mader <jmader2@gmu.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jmader2@gmu.edu) | --- Comment #2 from Jason Mader <jmader2@gmu.edu> --- Created attachment 728673 --> http://bugzilla.suse.com/attachment.cgi?id=728673&action=edit YaST2 logs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c3 --- Comment #3 from Lukas Ocilka <locilka@suse.com> --- Wild guess, you need to really open a ssh port in firewall instead of using those special flags that are there just for the manual installer. These two flags are coming from control file, not from AytoYast profile. Try cloning the Firewall configuration on your system and you will see. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c4 --- Comment #4 from Jason Mader <jmader2@gmu.edu> --- I have just cloned the firewall config, but it’s the same as my autoyast config. I don’t know what you mean by special flags. I am reporting that only after the first boot of autoyast configuration is the SuSEfirewall2 in Leap 42.3 still have closed 22/tcp. The configuration is set, because a restart of SuSEfirewall2 has the correct configuration. (In reply to Lukas Ocilka from comment #3)
Wild guess, you need to really open a ssh port in firewall instead of using those special flags that are there just for the manual installer. These two flags are coming from control file, not from AytoYast profile. Try cloning the Firewall configuration on your system and you will see.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c5 --- Comment #5 from Lukas Ocilka <locilka@suse.com> --- I've found this in the log: network/susefirewall2.rb:1631 Do not touch firewall services during installation modules/Lan.rb:985 Attempting to reload network service, normal stage false, ssh: false I've discussed this with our networking expert and the reason is that we don't want users to shoot themselves in their legs (we do not restart firewall during installation). On the other hand, from logs it seems that the firewall is actually only enabled, but is not running at the end of installation. See, for instance this clients/inst_autoconfigure.rb:314 restarting services "["avahi-daemon.service", "colord.service", "cron.service", "cups.service", "haveged.service", "irqbalance.service", "mcelog.service", "ntpd.service", "smartd.service", "sshd.service", "sssd.service", "systemd-journald.service", "systemd-logind.service", "systemd-udevd.service", "unbound.service"]" There's no firewall. So, as a hotfix, I'd propose you to add <service>SuSEfirewall2<service> into <services> section. That might but might not help... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c6 --- Comment #6 from Jason Mader <jmader2@gmu.edu> --- It does not help in Build0277. (In reply to Lukas Ocilka from comment #5)
So, as a hotfix, I'd propose you to add
<service>SuSEfirewall2<service>
into <services> section. That might but might not help...
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c16 Jason Mader <jmader2@gmu.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jmader2@gmu.edu) | --- Comment #16 from Jason Mader <jmader2@gmu.edu> --- Well, SuSEfirewall2 isn't used in Leap 15.0 and the new firewall opens the ssh port as needed. I suppose this can be closed. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1043446 http://bugzilla.suse.com/show_bug.cgi?id=1043446#c17 Knut Alejandro Anderssen González <knut.anderssen@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED Flags|needinfo?(mfilka@suse.com), | |needinfo?(knut.anderssen@su | |se.com) | --- Comment #17 from Knut Alejandro Anderssen González <knut.anderssen@suse.com> --- (In reply to Jason Mader from comment #16)
Well, SuSEfirewall2 isn't used in Leap 15.0 and the new firewall opens the ssh port as needed. I suppose this can be closed.
Although it is not present in Leap15.0 this bug was fixed as consequence of a duplicate one in SLE (bsc#1080630), so it should be already fixed by this packages: openSUSE Leap 42.3 (src): yast2-3.2.45-2.6.1, yast2-network-3.2.51-9.1 The fix was added and described in this PR: https://github.com/yast/yast-network/pull/608 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com