[Bug 1091968] New: Migrated/upgraded systems have SuSEFirewall2 enabled which is not supported anymore
http://bugzilla.suse.com/show_bug.cgi?id=1091968 Bug ID: 1091968 Summary: Migrated/upgraded systems have SuSEFirewall2 enabled which is not supported anymore Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other URL: https://openqa.opensuse.org/tests/667584/modules/firew all_enabled/steps/1 OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Upgrade Problems Assignee: bnc-team-screening@forge.provo.novell.com Reporter: okurz@suse.com QA Contact: jsrain@suse.com CC: jeriveramoya@suse.com, riafarov@suse.com Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1091649 +++ ## Observation When migrating older products which had SuSEFirewall2 as default to a current product version which have firewalld by default then the SuSEFirewall2 is preserved which is not supported anymore. See for example scenario opensuse-15.0-DVD-x86_64-update_Leap_42.3_gnome@64bit-2G in [firewall_enabled](https://openqa.opensuse.org/tests/667584/modules/firewall_enabled/steps/1) showing that SuSEFirewall2 is still active. ## Reproducible * Upgrade pre-15 distributions (or corresponding TW version) with enabled SuSEFirewall2 to corresponding 15-based version * `SuSEfirewall2 status` reports that the firewall is still running ## Expected result * **E1:** An unsupported firewall should not continue to run silently in the background. Some error message or information to the user should be shown. ## Further details Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?version=15.0&distri=opensuse&arch=x86_64&test=update_Leap_42.3_gnome&flavor=DVD&machine=64bit-2G) https://openqa.suse.de/tests/1657059#step/firewall_enabled/1 shows the corresponding SuSEFirewall2 for SLE15 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1091968 Oliver Kurz <okurz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.suse.com/s | |how_bug.cgi?id=1091649 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1091968 http://bugzilla.suse.com/show_bug.cgi?id=1091968#c1 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |matthias.gerstner@suse.com Resolution|--- |INVALID --- Comment #1 from Ludwig Nussel <lnussel@suse.com> --- well, obviously it is still supported in maintenance mode as a full migration is not possible. if it was unsupported it would not be in the repo. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1091968 http://bugzilla.suse.com/show_bug.cgi?id=1091968#c2 Oliver Kurz <okurz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |locilka@suse.com Resolution|INVALID |--- --- Comment #2 from Oliver Kurz <okurz@suse.com> --- *Sigh* now I am confused. locilka in https://bugzilla.suse.com/show_bug.cgi?id=1091649#c1 stated "But you can maybe open another bug: The system should scram loudly that SuSEfirewall2 is not supported and should try hard deleting it." and you (lnussel) disagree, fine, but can we please continue adressing the real open points until we found a common understanding? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1091968 http://bugzilla.suse.com/show_bug.cgi?id=1091968#c3 --- Comment #3 from Matthias Gerstner <matthias.gerstner@suse.com> --- This topic seems still to be a source of confusion. I discussed this with firewalld maintainer Markos Chandras a while ago and it turned out that the migration from SuSEfirewall2 to firewalld using his helper packages "susefirewall2-to-firewalld" is only possible if both firewalls are installed. This means that removing SuSEfirewall2 will break this migration path. I asked Markos to check if an offline migration would not also be possible but I don't know if he found time to implement it. I even tried to introduce a Conflicts to achieve removal of SuSEfirewall2 after upgrading but this only resulted in more troubles as outlined in bug 1084177 and bug 1085260. So as far as I understand it at the moment: - SuSEfirewall2 should *not* be forcibly removed after upgrade to support the upgrade path using susefirewall2-to-firewalld - sadly, if both firewalls are installed and *enabled* in systemd then strange things can happen (on systemd level the two firewalls can preempt each other multiple times). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1091968 Weihua Du <whdu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |matthias.gerstner@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1091968 http://bugzilla.suse.com/show_bug.cgi?id=1091968#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |INVALID --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- Since there is no more protest or suggestions and Leap 15.0 is arleady released I think we can close this bug. Removal of SuSEfirewall2 is not feasible due to the migration path, difficulties can result from this in some cases that have to be resolved manually. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com