Fix failures in running firewalld service #13903
Conversation
microsoft-github-policy-service
bot
added
Packaging
3.0-dev
This commit patches the testsuite to successfully run tests based on the firewalld configuration files in Azurelinux 3.0. The list of changes include: - disable rpfilter tests, due to missing kernel config - add MDNS routes data and rules - add FedoraServer & FedoraWorkStation zone info - handle error code 255 instead of 1 for ebtables - remove webcache/tcp from tests
Sumynwa
changed the title
Sumynwa
changed the title
|
PR check failures are not related to the changes. AMD64: PTest Failure in systemd & valkey |
| table inet firewalld { | ||
| chain filter_IN_public_allow { | ||
| tcp dport 22 accept | ||
| + ip daddr 224.0.0.251 udp dport 5353 accept |
There was a problem hiding this comment.
what is the significance of this specific address ?
There was a problem hiding this comment.
This ipv4/ipv6 address and port is part of the MDNS configuration.
We patch public/work zone configs to add mdns service. These configs are installed under /usr/lib/firewalld.
As such, running firewalld testsuite adds additional rules in zone specific chains under firewalld table.
Since the testsuite binary compiled from sources do not include these rules in their expected result, they fail due to mismatch.
|
Looked into 3.0 Ptest run. |
| @@ -56,7 +56,7 @@ firewall with a D-Bus interface. | |||
| %{?python_provide:%python_provide python3-firewall} | |||
| Summary: Python3 bindings for firewalld | |||
|
|
|||
| Requires: python3-dbus | |||
| Requires: python3-dbus >= 1.3.2 | |||
There was a problem hiding this comment.
+1
Although, I think we only ship only one version of python3-dbus at a given point of time :)
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
This commit introduces changes to fix firewalld issues in AzureLinux 3.0.
The list of changes is as below:
(a) Bump dbus-python version to 1.3.2.
File "/usr/lib/python3.12/site-packages/dbus/decorators.py", line 330, in decorator
args = inspect.getargspec(func)[0]
^^^^^^^^^^^^^^^^^^
Looking at the upstream release notes, there is no breaking API/compatibility changes wrt python 3.12.
(b) Disable
IPv6_rpfilterin configuration. The present kernel config does not support running firewalld daemon with this configuration. If left enabled, firewalld daemon fails to start.(c) Fix testsuite provided by the firewalld-test sub-package based on the firewalld configuration provided in Azurelinux 3.0.
NOTE: It becomes a loop to add a check section inside the firewalld spec. This is because during build, the chroot environment running the test does not install the final configuration. As a result, the package test passing during the build will fail when running the testsuite after installing the test sub-package due to change in configuration.
Neither the upstream SPEC, nor fedora specs adds a check section for this package.
More details are mentioned in this Bug.
Change Log
IPv6_rpfilterin configurationsrc/testsDoes this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology
Follow below steps to run firewalld testsuite:
Install the built firewalld and dbus-python package
sudo tdnf install -y python3-dbus firewalld ebtables firewalld-testAdjust below configs
Disable ipv6 rpfilter configuration. As the kernel does not support it, the firewalld service will fail to start, causing test failures.
sudo sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=no/' /etc/firewalld/firewalld.confSwitch iptables to legacy mode for testing
backend = iptablesconfigurationsudo update-alternatives --set ebtables /usr/sbin/ebtables-legacysudo update-alternatives --set iptables /usr/sbin/iptables-legacysudo update-alternatives --set ip6tables /usr/sbin/ip6tables-legacysudo /usr/share/firewalld/testsuite/testsuite -j8As of now, there are 15 known failures which occur due to disabling rpfilter in configuration.
List of failing test number: 61 107 120 124 192 193 194 195 196 197 200 240 252 306 324