[Bug 809119] New: ssh installation blocked by SuSEFirewall service
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c0 Summary: ssh installation blocked by SuSEFirewall service Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Installation AssignedTo: fcrozat@suse.com ReportedBy: jsuchome@suse.com QAContact: jsrain@suse.com CC: mfilka@suse.com Found By: Development Blocker: --- During 2nd stage of ssh installation, YaST is blocked apparently by some problems with SuSEFirewall. I think we've met this already in Betas/RCs, but maybe the problem was not solved for special case of ssh installation. Last line in y2log says: 2013-03-13 11:17:54 <1> linux-xfmo(16885) [YCP] Service.ycp:355 Running service initscript SuSEfirewall2 start
ps aux | grep systemctl root 21635 0.0 0.1 24696 1092 pts/0 S+ 11:17 0:00 /bin/systemctl start SuSEfirewall2.service
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c1 --- Comment #1 from Frederic Crozat <fcrozat@suse.com> 2013-03-13 10:48:30 UTC --- can you check for the environment of the systemctl PID ? Does it have SYSTEMCTL_OPTIONS=--ignore-dependencies ? I removed on purpose SuSEfirewall2.service activation before YaST2-Second-Stage (ExecStartPre=-/bin/systemctl stop SuSEfirewall2.service) because it was causing a deadlock and only one activation of SuSEfirewall2.service needed to be done, once network.service is up and running. I'm guessing we have either a new deadlock or a service is waiting for another service. debug output from systemd would be useful http://freedesktop.org/wiki/Software/systemd/Debugging -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c2 --- Comment #2 from Jiří Suchomel <jsuchome@suse.com> 2013-03-13 11:38:22 UTC --- OK, few tries. How can I know about SYSTEMCTL_OPTIONS? It is not among environment variables, if that was the question. systemctl list-jobs JOB UNIT TYPE STATE 1 multi-user.target start waiting 53 YaST2-Se...-Stage.service start running 56 systemd-...ead-done.timer start waiting 57 YaST2-Firstboot.service start waiting 58 systemd-...nlevel.service start waiting 60 SuSEfire...2_init.service start waiting 88 getty.target start waiting 89 getty@tty1.service start waiting 103 SuSEfirewall2.service start waiting 9 jobs listed. linux-xfmo:~ # dmesg | grep systemd [ 1.819035] systemd-udevd[94]: starting version 195 [ 4.987240] systemd[1]: systemd 195 running in system mode. (+PAM +LIBWRAP +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ; suse) [ 4.987473] systemd[1]: Detected virtualization 'oracle'. [ 5.242554] systemd[1]: Inserted module 'autofs4' [ 5.258985] systemd[1]: Set hostname to <linux.site>. [ 5.908160] systemd[1]: Starting Forward Password Requests to Wall Directory Watch. [ 5.908333] systemd[1]: Started Forward Password Requests to Wall Directory Watch. [ 5.908372] systemd[1]: Starting Syslog Socket. [ 5.908681] systemd[1]: Listening on Syslog Socket. [ 5.908693] systemd[1]: Starting Remote File Systems. [ 5.908930] systemd[1]: Reached target Remote File Systems. [ 5.908945] systemd[1]: Started Collect Read-Ahead Data. [ 5.908953] systemd[1]: Started Replay Read-Ahead Data. [ 5.908985] systemd[1]: Starting /dev/initctl Compatibility Named Pipe. [ 5.909394] systemd[1]: Listening on /dev/initctl Compatibility Named Pipe. [ 5.909405] systemd[1]: Starting Delayed Shutdown Socket. [ 5.909678] systemd[1]: Listening on Delayed Shutdown Socket. [ 5.909706] systemd[1]: Starting Encrypted Volumes. [ 5.909981] systemd[1]: Reached target Encrypted Volumes. [ 5.910202] systemd[1]: Starting udev Kernel Socket. [ 5.910455] systemd[1]: Listening on udev Kernel Socket. [ 5.910591] systemd[1]: Starting udev Control Socket. [ 5.910978] systemd[1]: Listening on udev Control Socket. [ 5.911023] systemd[1]: Starting Arbitrary Executable File Formats File System Automount Point. [ 5.911571] systemd[1]: Set up automount Arbitrary Executable File Formats File System Automount Point. [ 5.911583] systemd[1]: Expecting device dev-disk-by\x2did-ata\x2dVBOX_HARDDISK_VB3bd73e29\x2d014feeb8\x2dpart1.device... [ 5.911745] systemd[1]: Starting Journal Socket. [ 5.912104] systemd[1]: Listening on Journal Socket. [ 5.928100] systemd[1]: Starting Load Kernel Modules... [ 5.937887] systemd[1]: Starting Setup Virtual Console... [ 5.946216] systemd[1]: Mounting POSIX Message Queue File System... [ 5.973137] systemd[1]: Started Set Up Additional Binary Formats. [ 5.973298] systemd[1]: Mounting Huge Pages File System... [ 5.979613] systemd[1]: Starting Create dynamic rule for /dev/root link... [ 5.990823] systemd[1]: Starting Journal Service... [ 5.999782] systemd[1]: Started Journal Service. [ 6.002425] systemd[1]: Starting LSB: Set default boot entry if called... [ 6.010511] systemd[1]: Started File System Check on Root Device. [ 6.010570] systemd[1]: Starting Remount Root and Kernel File Systems... [ 6.025496] systemd[1]: Started Load Kernel Modules. [ 6.156696] systemd[1]: Starting Apply Kernel Variables... [ 6.162704] systemd[1]: Mounted FUSE Control File System. [ 6.162823] systemd[1]: Mounted Configuration File System. [ 7.463253] systemd-journald[210]: Received SIGUSR1 [ 8.221902] systemd-udevd[261]: starting version 195 # systemctl status SuSEfirewall2.service SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled) Active: inactive (dead) CGroup: name=systemd:/system/SuSEfirewall2.service Mar 13 11:11:33 linux.site systemd[1]: Stopped SuSEfirewall2 phase 2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c3 --- Comment #3 from Jiří Suchomel <jsuchome@suse.com> 2013-03-13 11:39:33 UTC --- Created an attachment (id=529509) --> (http://bugzilla.novell.com/attachment.cgi?id=529509) systemctl dump -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c4 --- Comment #4 from Jiří Suchomel <jsuchome@suse.com> 2013-03-13 12:02:44 UTC --- Created an attachment (id=529516) --> (http://bugzilla.novell.com/attachment.cgi?id=529516) /proc/21635/environ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c5 --- Comment #5 from Jiří Suchomel <jsuchome@suse.com> 2013-03-13 12:11:35 UTC --- # systemctl status YaST2-Second-Stage.service YaST2-Second-Stage.service - YaST2 Second Stage Loaded: loaded (/usr/lib/systemd/system/YaST2-Second-Stage.service; enabled) Active: activating (start) since Wed, 2013-03-13 11:11:32 CET; 1h 59min ago Process: 350 ExecStartPre=/usr/bin/plymouth --hide-splash (code=exited, status=1/FAILURE) Process: 325 ExecStartPre=/bin/systemctl stop SuSEfirewall2.service (code=exited, status=0/SUCCESS) Main PID: 356 (YaST2.Second-St) CGroup: name=systemd:/system/YaST2-Second-Stage.service ├ 356 /bin/sh /usr/lib/YaST2/startup/YaST2.Second-Stage ├ 1578 bash └ 32712 sleep 3 Mar 13 11:11:52 linux.site rcnetwork[1615]: redirecting to "systemctl --ignore-dependencies start network.service" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c6 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fcrozat@suse.com AssignedTo|fcrozat@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com --- Comment #6 from Frederic Crozat <fcrozat@suse.com> 2013-03-22 16:27:43 UTC --- I can reproduce. The error is caused by variable which are set in Yast2-Second-Stage.service aren't used when yast.ssh is started by user. Therefore, SYSTEMCTL_OPTIONS="--ignore-dependencies" isn't set, causing the block. running "SYSTEMCTL_OPTIONS=--ignore-dependencies yast.ssh" works fine. So, it would be better for Second-Stage Yast "yast.ssh" to set it, if needed. Of course, for Factory, we really want to drop all this stuff and have the second-stage working without any kludge. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c FeiXiang Zhang <fxzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fxzhang@suse.com AssignedTo|bnc-team-screening@forge.pr |fcrozat@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c7 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aschnell@suse.com --- Comment #7 from Jiří Suchomel <jsuchome@suse.com> 2013-03-25 07:51:57 UTC --- (In reply to comment #6)
So, it would be better for Second-Stage Yast "yast.ssh" to set it, if needed.
So, this would be set in yast2-installation, probably directly in YaST2.ssh. Shame it was found so late, now even online update won't fix 12.3 installations... :-(
Of course, for Factory, we really want to drop all this stuff and have the second-stage working without any kludge.
So do you have any clean solution in mind? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c8 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |coolo@suse.com --- Comment #8 from Jiří Suchomel <jsuchome@suse.com> 2013-03-25 07:53:29 UTC --- (In reply to comment #7)
Shame it was found so late, now even online update won't fix 12.3 installations... :-(
Although, releasing updated yast2-installation could help users who are using updated 12.3 repositories from start of installation. Coolo, does it make sense? Is there such group of users that would benefit from it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c9 Stephan Kulow <coolo@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |coolo@suse.com InfoProvider|coolo@suse.com | --- Comment #9 from Stephan Kulow <coolo@suse.com> 2013-03-25 09:27:58 CET --- only dud makes sense IMO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c10 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsuchome@suse.com --- Comment #10 from Jiří Suchomel <jsuchome@suse.com> 2013-03-25 08:59:17 UTC --- So it looks like we have to document workaround for current (12.3) behavior and find a proper fix for next release/Factory. I'll add an entry to Most Annoying Bugs. Frederic, the proper fix part is likely for you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c11 --- Comment #11 from Jiří Suchomel <jsuchome@suse.com> 2013-03-25 09:09:17 UTC --- (In reply to comment #10)
So it looks like we have to document workaround for current (12.3) behavior and find a proper fix for next release/Factory.
I'll add an entry to Most Annoying Bugs.
https://en.opensuse.org/openSUSE:Most_annoying_bugs_12.3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c12 --- Comment #12 from Frederic Crozat <fcrozat@suse.com> 2013-03-25 09:36:25 UTC --- (In reply to comment #9)
only dud makes sense IMO.
since yast.ssh need to be started "manually" by user for second stage, there is little point in creating a DUD vs just telling user to call "SYSTEMCTL_OPTIONS=--ignore-dependencies yast.ssh". I still think we should push a fix for yast.ssh for 12.3 (I think many people using ssh installation are also using "expert" mode which will install updates before rebooting for second stage). This is for a "yast" expert to fix, not me :) (In reply to comment #7)
(In reply to comment #6)
Of course, for Factory, we really want to drop all this stuff and have the second-stage working without any kludge.
So do you have any clean solution in mind?
Yes, I already proposed one in bnc#800365 but yast-2nd-stage must be fixed first to ensure it behaves correctly when some services like network are started before it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c13 --- Comment #13 from Jiří Suchomel <jsuchome@suse.com> 2013-03-25 09:48:43 UTC --- (In reply to comment #12)
I still think we should push a fix for yast.ssh for 12.3 (I think many people using ssh installation are also using "expert" mode which will install updates before rebooting for second stage). This is for a "yast" expert to fix, not me :)
The installation of updates during 2nd stage normally happens during second stage, so getting updated yast2-installation package this way is too late. If one really installs updates manually, than he could use the workaround anyway (see comment 11 and feel free to update it).
So do you have any clean solution in mind?
Yes, I already proposed one in bnc#800365 but yast-2nd-stage must be fixed first to ensure it behaves correctly when some services like network are started before it.
12.3 development is over, so feel free to submit patches for Factory. Or point yast developers to bugs that need fixing, if some problem is on YaST side. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c14 --- Comment #14 from Frederic Crozat <fcrozat@suse.com> 2013-03-25 10:17:58 UTC --- (In reply to comment #13)
The installation of updates during 2nd stage normally happens during second stage, so getting updated yast2-installation package this way is too late.
If one really installs updates manually, than he could use the workaround anyway (see comment 11 and feel free to update it).
Current workaround description is ok for me
So do you have any clean solution in mind?
Yes, I already proposed one in bnc#800365 but yast-2nd-stage must be fixed first to ensure it behaves correctly when some services like network are started before it.
12.3 development is over, so feel free to submit patches for Factory. Or point yast developers to bugs that need fixing, if some problem is on YaST side.
will do. The sooner we push those changes to Factory, the better, it will allow us to find the issues faster. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c16 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO CC| |suse-beta@cboltz.de InfoProvider| |ke@suse.com --- Comment #16 from Christian Boltz <suse-beta@cboltz.de> 2013-03-25 22:30:53 CET --- We shouldn't "hide" such things somewhere in the wiki ;-) Karl, can you please add this problem and the workaround to the Release Notes? See https://en.opensuse.org/openSUSE:Most_annoying_bugs_12.3 for details. (Feel free to also add the nvidia-related issue (bug #808319) that is also mentioned in the wiki.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c17 Karl Eichwalder <ke@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |ke@suse.com InfoProvider|ke@suse.com | --- Comment #17 from Karl Eichwalder <ke@suse.com> 2013-03-27 10:17:50 CET --- (In reply to comment #16)
We shouldn't "hide" such things somewhere in the wiki ;-)
Karl, can you please add this problem and the workaround to the Release Notes? See https://en.opensuse.org/openSUSE:Most_annoying_bugs_12.3 for details.
(Feel free to also add the nvidia-related issue (bug #808319) that is also mentioned in the wiki.)
Ok, I track it here: https://bugzilla.novell.com/show_bug.cgi?id=811952. Maybe, next week (I would not mind if there would be someone who is faster). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c18 Karl Eichwalder <ke@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #18 from Karl Eichwalder <ke@suse.com> 2013-04-03 15:47:08 CEST --- (In reply to comment #16)
We shouldn't "hide" such things somewhere in the wiki ;-)
Karl, can you please add this problem and the workaround to the Release Notes? See https://en.opensuse.org/openSUSE:Most_annoying_bugs_12.3 for details.
(Feel free to also add the nvidia-related issue (bug #808319) that is also mentioned in the wiki.)
We mostly covered the nvidia isssue already her: bug 809163. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c19 Karl Eichwalder <ke@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEW --- Comment #19 from Karl Eichwalder <ke@suse.com> 2013-04-03 16:05:04 CEST --- I'll add the following snippet (fixed in SVN)--shall I close the bug now? <sect2> <!-- bnc#809119 --> <title> SSH Installation Blocked by SuSEFirewall Service </title> <para> During the second stage of an SSH installation YaST freezes. It is blocked by the SuSEFirewall service because the SYSTEMCTL_OPTIONS environment variable is not set properly. </para> <para> Workaround: When logged in for the second time to start the second stage of the SSH installation, call <command>yast.ssh</command> with the <literal>--ignore-dependencies</literal> as follows: </para> <screen>SYSTEMCTL_OPTIONS=--ignore-dependencies yast.ssh</screen> </sect2> -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c20 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> 2013-06-10 10:18:04 UTC --- openSUSE-RU-2013:0953-1: An update that has four recommended fixes can now be installed. Category: recommended (low) Bug References: 809119,809838,811952,815520 CVE References: Sources used: openSUSE 12.3 (src): release-notes-openSUSE-12.3.8-1.14.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=809119 https://bugzilla.novell.com/show_bug.cgi?id=809119#c21 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #21 from Frederic Crozat <fcrozat@suse.com> 2013-12-04 16:11:15 UTC --- closing as fixed -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com