#37 Edited and asciidoc-formatted the following articles: dnf.adoc, dnf-system-upgrade.adoc, firewalld.adoc, reset-root-password.adoc, and upgrading.adoc
Closed 5 years ago by bex. Opened 6 years ago by sassam.
fedora-docs/ sassam/quick-docs sassam-quickdocs  into  master

file modified
+5 -5
@@ -70,9 +70,9 @@ 

      File: debug-systemd-problems

    - Name: (FIX ME!) How to debug Wayland problems

      File: debug-wayland-problems

-   - Name: (FIX ME!) DNF

+   - Name: DNF

      File: dnf

-   - Name: (FIX ME!) DNF system upgrade

+   - Name: DNF system upgrade

      File: dnf-system-upgrade

    - Name: (FIX ME!) How to edit iptables rules

      File: edit-iptables-rules
@@ -80,7 +80,7 @@ 

      File: enable-touchpad-click

    - Name: (FIX ME!) Fedora Release Life Cycle

      File: fedora-life-cycle

-   - Name: (FIX ME!) Firewalld

+   - Name: Firewalld

      File: firewalld

    - Name: (FIX ME!) Flash

      File: flash
@@ -100,11 +100,11 @@ 

      File: qemu

    - Name: (FIX ME!) Raspberry Pi

      File: raspberry-pi

-   - Name: (FIX ME!) How to reset a root password

+   - Name: How to reset a root password

      File: reset-root-password

    - Name: (FIX ME!) Using UEFI with QEMU

      File: uefi-with-qemu

-   - Name: (FIX ME!) Upgrading

+   - Name: Upgrading

      File: upgrading

    - Name: (FIX ME!) Upgrading Fedora using package manager

      File: upgrading-fedora-online

file modified
+295 -342
@@ -1,375 +1,328 @@ 

- = DNF system upgrade

+ [[chap-dnf-system-upgrade]]

+ = DNF System Upgrade

  

- '''

+ link:++https://github.com/rpm-software-management/dnf-plugin-system-upgrade++[`dnf-plugin-system-upgrade`] is a plugin for the link:++dnf.html++[DNF] package manager and is used to upgrade your system to the current release of Fedora.

+ For Atomic Host, which uses rpm-ostree, you may refer to link:++https://rpm-ostree.readthedocs.io/en/latest/manual/administrator-handbook/++[Read The Docs: rpm-ostree] for details.

  

- [IMPORTANT]

- ======

+ This is the recommended command-line upgrade method for Fedora 21 and later and works as follows:

  

- This page was automatically converted from https://fedoraproject.org/wiki/DNF_system_upgrade

+ . Packages are downloaded while the system is running normally

  

- It is probably

+ . The system reboots into a special environment (implemented as a systemd target) to install them

  

- * Badly formatted

- * Missing graphics and tables that do not convert well from mediawiki

- * Out-of-date

- * In need of other love

+ . Upon completion, the system reboots into the new Fedora release

  

- Pull requests accepted at https://pagure.io/fedora-docs/quick-docs

+ [[sect-performing-system-upgrade]]

+ == Performing System Upgrade

  

- Once you've fixed this page, remove this notice, and update

- `_topic_map.yml`.

+ [WARNING]

+ ====

  

- Once the document is live, go to the original wiki page and replace its text

- with the following macro:

+ *Back up your data* before performing a system-wide upgrade as every system upgrade is potentially risky.

+ As a precaution, download the link:++https://getfedora.org/en/workstation/download/++[Fedora Workstation Live image] in the event something goes wrong.

  

- ....

- {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}

- ....

+ ==== 

  

- ======

+ . To update your Fedora release from the command-line do:

+ +

+ [source,bash]

  

- '''

+ ----

  

+ sudo dnf upgrade --refresh

  

- [[what-is-dnf-system-upgrade]]

- What is DNF system upgrade?

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ ----

+ +

+ and reboot your computer.

  

- https://github.com/rpm-software-management/dnf-plugin-system-upgrade[dnf-plugin-system-upgrade]

- is a plugin for the link:Dnf[dnf] package manager which handles system

- upgrades. It is the recommended command line upgrade method for Fedora

- 21 and later (Except Atomic Host, which uses rpm-ostree; for that see

- Atomic_Host_upgrade).

+ . Install the dnf-plugin-system-upgrade package if it is not currently installed:

+ +

+ [source,bash]

  

- [[what-does-dnf-system-upgrade-do]]

- What does DNF system upgrade do?

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ ----

  

- DNF system upgrade can upgrade your system to a newer release of Fedora,

- using a mechanism similar to that used for offline package updates. The

- updated packages are downloaded while the system is running normally,

- then the system reboots to a special environment (implemented as a

- systemd target) to install them. Once installation of the updated

- packages is complete, the system reboots again to the new Fedora

- release.

+ sudo dnf install dnf-plugin-system-upgrade

  

- [[how-do-i-use-it]]

- How do I use it?

- ~~~~~~~~~~~~~~~~

+ ----

  

- 1.  *Back up* your important data. Every system change is potentially

- risky, be prepared. In case you update your workstation, it is also wise

- to download a https://getfedora.org/en/workstation/[Workstation Live

- image] and make sure your hardware (graphics card, wifi, etc) works well

- with the latest kernel and drivers.

- 2.  Update your system using the standard updater for your desktop or :

- +

- ....

- $ sudo dnf upgrade --refresh

- ....

- +

- (Don't type the `$` in these commands; that just indicates that you type

- this at a terminal prompt as a non-root user.)

- +

- After updating, we recommend you reboot your computer, especially if

- you've just installed a new kernel. +

- * Please note that there is

- link:Common_F23_bugs#plymouth-theme-upgrade[an issue] if you use a

- non-default plymouth boot theme. If you do, please follow the issue

- description to make sure your upgrade will not be affected.

- * Double check your DNF configuration in , if you have done any custom

- configuration (either manually or via third-party tool), it's

- recommended to revert it to default before updating and upgrading your

- system.

- 3.  Install package:

- +

- ....

- $ sudo dnf install dnf-plugin-system-upgrade

- ....

- 4.  Download the updated packages: \{\{#tag:pre|$ sudo dnf

- system-upgrade download --refresh --releasever=}} Change the

- `--releasever=` number if you want to upgrade to a different system

- release. Most people will want to upgrade to the latest stable release,

- which is **, but if you're running Fedora , you might want to upgrade

- just to Fedora . You can also use for upgrading to Branched or `rawhide`

- for upgrading to Rawhide (warning: those are not stable releases).

- * If you are upgrading to Rawhide, you will need to import the rpm gpg

- key for it. This will be the highest numbered key version in . For

- example if there is a Branched release that is , then you should look

- for a , and if there is currently no Branched release, it will be .

- \{\{#tag:pre|$ sudo rpm --import

- /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora--primary}}

- 5.  If some of your packages have unsatisfied dependencies, the upgrade

- will refuse to continue until you run it again with an extra option.

- This often happens with packages installed from third-party repositories

- for which an updated repositories hasn't been yet published. Please

- study the output very carefully and examine which packages are going to

- be removed. None of them should be essential for system functionality,

- but some of them might be important for your productivity.

- * In case of unsatisfied dependencies, you can sometimes see more

- details if you add option to the command line.

- * If you want to remove/install some packages manually before running

- `dnf system-upgrade download` again, it's advisable to perform those

- operations with `--setopt=keepcache=1` dnf command line option.

- Otherwise the whole package cache will be removed after your operation,

- and you'll need to download all the packages once again.

- 6.  Trigger the upgrade process:

+ . Download the updated packages (replace N with the release version): 

  +

- ....

-  $ sudo dnf system-upgrade reboot

- ....

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf system-upgrade download --refresh --releasever=N

+ 

+ ----

+ 

+ . Trigger the upgrade process. This will restart your machine into the upgrade process:

  +

- This will reboot your machine immediately. The system should boot again

- into Fedora using the same kernel, but this time, the upgrade process

- appears on the boot screen.

- 7.  Wait for the upgrade process to complete.

- 

- [[frequently-asked-questions]]

- Frequently Asked Questions

- ~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- [[how-do-i-report-issues-that-i-find-with-upgrades]]

- How do I report issues that I find with upgrades?

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- First see link:Common_F{{FedoraVersionNumber}}_bugs[Common

- F\{\{FedoraVersionNumber}} bugs] or

- link:Common_F{{FedoraVersionNumber[next}} bugs] to check if the problem

- is a very prominent issue we already know of. If it is not there,

- https://bugzilla.redhat.com/buglist.cgi?product=Fedora&component=dnf-plugin-system-upgrade&resolution=---[search

- for an existing bug report]. If you do not see a report that matches

- your symptoms, you can file a new report from the search page. Please

- follow the bug reporting instructions mentioned in

- https://github.com/rpm-software-management/dnf-plugin-system-upgrade[this

- README] and in `man dnf.plugin.system-upgrade`.

- 

- If you hit issues after upgrade with a specific package, file a bug

- against the package with which you are having issues.

- 

- [[does-dnf-system-upgrade-verify-the-software-it-runs-or-installs-during-upgrade]]

- Does DNF system upgrade verify the software it runs or installs during

- upgrade?

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Yes. The package signing keys for newer Fedora releases are sent to

- older Fedora releases in order to allow DNF to verify the integrity of

- the packages it downloads. You can disable this function with the

- parameter if you need to do so for any reason (not recommended, you're

- then opened to attacks from malicious software).

- 

- [[will-packages-in-third-party-repositories-be-upgraded]]

- Will packages in third party repositories be upgraded?

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Yes, if they are set up like regular DNF repositories and do not hard

- code the repository path. Commonly-used third party repositories usually

- work fine, but if you attempt to upgrade prior to or soon after an

- official Fedora release, they may not have updated their repository

- paths yet, and DNF may be unable to find their packages. This will

- usually not prevent the upgrade running successfully, though, and you

- can update the packages from the third-party repository later.

- 

- [[can-i-upgrade-from-an-end-of-life-release]]

- Can I upgrade from an link:End_of_life[End of life] release?

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Note that Fedora strongly recommends against ever running an end-of-life

- release on any production system, or any system connected to the public

- internet, in any circumstances. You should never allow a production

- Fedora deployment to reach end-of-life in the first place.

- 

- With that in mind, if you do have an end-of-life release newer than

- Fedora 20 installed on a system you cannot just discard or re-deploy,

- you can attempt to upgrade it, though this is a less-tested and

- less-supported operation. You can try to upgrade through intermediate

- releases until you reach a currently-supported release, or try to

- upgrade to a currently-supported release in a single operation. It is

- not possible to state with certainty which approach is more likely to be

- successful.

- 

- If you attempt to upgrade across more than two releases in one

- operation, please also read the link:#multi[next answer].

- 

- If you have Fedora 20 or earlier installed, you cannot upgrade with DNF

- system upgrade alone. You must upgrade at least part of the way

- link:Upgrading_Fedora_using_package_manager[using bare or ]. You can

- either upgrade to Fedora 21 that way and then upgrade the rest of the

- way using DNF system upgrade, or you can attempt the entire upgrade

- using bare or . Note this method is in itself not an officially

- recommended upgrade mechanism. To be frank, any upgrade from Fedora 20

- or earlier is very much done 'at your own risk'.

- 

- [[how-many-releases-can-i-upgrade-across-at-once]]

- How many releases can I upgrade across at once?

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- The most common scenario is an upgrade across just one release (e.g. to

- ). However, for the first month or so after a new release comes out,

- upgrades from the last-but-one release to that release are 'supported',

- in the sense that we include this scenario in the

- link:Fedora_Release_Criteria[Fedora Release Criteria], test it for at

- least clean installs of supported package sets, and will treat bugs

- discovered in such upgrades as significant. The

- link:Fedora_Release_Life_Cycle[Fedora Release Life Cycle] is

- specifically designed to provide this approximate one month 'grace

- period' so you can choose to upgrade long-lived systems only once every

- two releases, rather than having to do it every release.

- 

- Around a month after the new release comes out, the last-but-one release

- goes link:End_of_life[End of life], at which point the

- link:#eol[previous question] applies. Still, that upgrade is still

- pretty likely to work successfully for some time after the release goes

- end-of-life.

- 

- Upgrades across more than two releases are not 'supported', and issues

- encountered in such upgrades may not be considered significant bugs.

- Note that any upgrade across more than two releases must by definition

- be an upgrade from an end-of-life release, and so the link:#eol[previous

- question] applies here too.

- 

- When upgrading across multiple releases, you may find you need to

- link:Upgrading_Fedora_using_package_manager#packagekey[import the target

- release package signing key manually]. Fedora releases usually only have

- the package signing keys for the next two releases installed (because

- they go end-of-life before the N+3 release is branched). Before Fedora

- 22, it was not consistently the case that every release had keys for the

- next two releases, either. If dnf complains about a missing key, this is

- what you must do.

- 

- [[can-i-use-dnf-system-upgrade-to-upgrade-to-a-pre-release-e.g.-a-beta]]

- Can I use DNF system upgrade to upgrade to a pre-release (e.g. a Beta)?

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Yes. It should always be possible to attempt such an upgrade. Of course,

- this function is as subject to temporary breakage as is any other aspect

- of a pre-release, and generally speaking, the earlier the release in

- question, the less likely it is to work without problems.

- 

- [[optional-post-upgrade-tasks]]

- Optional post-upgrade tasks

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- These are tasks you can do after a successful upgrade. *They are mostly

- intended for power users. If you are a general user who doesn't use

- terminal daily, you don't need to worry about this.*

- 

- [[update-system-configuration-files]]

- Update system configuration files

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Most configuration files are stored in `/etc`. If there are any updates

- to them and you touched some of those files before, RPM creates new

- files with either `.rpmnew` suffix (the new default config file), or

- `.rpmsave` suffix (your old config file backed up). You can search for

- these files, go through the changes and make sure your custom changes

- are still included and the new defaults are applied as well. A tool that

- tried to simplify this is . Install the package, and then use it as:

- 

- `$ sudo rpmconf -a`

- 

- See more information in its manual page.

- 

- [[clean-up-old-packages]]

- Clean up old packages

- ^^^^^^^^^^^^^^^^^^^^^

- 

- You can see list of packages with broken dependencies like this:

- 

- `$ sudo dnf repoquery --unsatisfied`

- 

- Ideally there should be none. If there are some, consider removing them,

- because they are not likely to work properly anyway.

- 

- You can see duplicated packages (packages with multiple versions

- installed) like this:

- 

- `$ sudo dnf repoquery --duplicated`

- 

- For ordinary packages, just the latest version should be installed. But

- there can be exceptions to the rule, only remove what you are sure you

- no longer need.

- 

- Some packages might stay on your system while they have been removed

- from the repositories. See them using:

- 

- `$ sudo dnf list extras`

- 

- If you don't use these, you can consider removing them:

- `dnf remove $(dnf repoquery --extras --exclude=kernel,kernel-\*)`.

- Please note that this list is only valid if you have a fully updated

- system. Otherwise you'll see all installed packages which are no longer

- in the repositories, because there is a newer update available. So

- before acting on these, make sure you have run `sudo dnf update` and

- generate the list of extra packages again. Also, this list might contain

- packages installed from third-party repositories for which an updated

- repository hasn't been published yet. This often involves e.g. RPM

- Fusion or Dropbox.

- 

- You can remove no-longer-needed packages using:

- 

- `$ sudo dnf autoremove`

- 

- but *beware* that dnf decides that a package is no longer needed if you

- haven't explicitly asked to install it and nothing else requires it.

- That doesn't mean that package is not useful or that you don't use it.

- *Only remove what you are certain you don't need*. There's a known bug

- in PackageKit which doesn't mark packages as user-installed, see

- https://bugzilla.redhat.com/show_bug.cgi?id=1259865[bug 1259865]. If you

- use PackageKit (or GNOME Software, Apper, etc) for installation, this

- output might list even important apps and system packages, so beware.

- 

- [[resolving-post-upgrade-issues]]

- Resolving post-upgrade issues

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- *Only follow up these steps if you have troubles with your upgraded

- system. It should not be needed in the vast majority of upgrades.*

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf system-upgrade reboot

+ 

+ ----

+ 

+ . Once the upgrade process to complete, your system will reboot into the updated release version of Fedora.

+ 

+ [[sect-optional-post-upgrade-tasks]]

+ == Optional Post-Upgrade Tasks

+ 

+ These are some of the tasks you can do after a successful upgrade.

+ 

+ [NOTE]

+ 

+ ====

+ 

+ This section is mainly intended for power users. If you are a general user who doesn't use the terminal daily, you may skip this section.

+ 

+ ====

+ 

+ [[sect-update-system-configuration-files]]

+ === Update System Configuration Files

+ 

+ Most configuration files are stored in the `/etc` folder.

+ If you have changed the package's configuration files, RPM creates new files with either `.rpmnew` (the new default config file), or `.rpmsave` (your old config file backed up).

+ You can search for these files, or use the `rpmconf` tool that simplifies this process. To install rpmconf, enter:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ dnf install rpmconf

+ 

+ ----

+ 

+ Once the install is complete enter:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo rpmconf -a

+ 

+ ----

+ 

+ For more information you can refer to the man pages (`man rpmconf`).

+ 

+ [[sect-clean-up-old-packages]]

+ === Clean-Up Old Packages

+ 

+ You can see a list of packages with broken dependencies by typing:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf repoquery --unsatisfied

+ 

+ ----

+ 

+ The list should be empty, but if this is not the case consider removing them as they are not likely to work.

+ 

+ You can see duplicate packages (packages with multiple versions installed) with:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf repoquery --duplicated

+ 

+ ----

+ 

+ For packages from the official repositories, the latest version should be installed.

+ However, some packages that are still on your system may no longer be in the repositories.

+ To see a list of these packages do:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf list extras

+ 

+ ----

+ 

+ If you see a package you do not need, or use, you can remove it with:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf remove $(dnf repoquery --extras --exclude=kernel,kernel-\*)

+ 

+ ----

+ 

+ [NOTE] 

+ 

+ ====

+ 

+ Run `sudo dnf update` first, as this list is only valid if you have a fully updated system.

+ Otherwise, you will see a list of installed packages that are no longer in the repositories because an update is available.

+ This list may also contain packages installed from third-party repositories who may not have updated their repositories.

+ 

+ ====

+ 

+ You can safely remove packages no longer in use with:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf autoremove

+ 

+ ----

+ 

+ [WARNING]

+ 

+ ====

+ 

+ DNF decides that a package is no longer needed if you haven't explicitly asked to install it and nothing else requires it.

+ However, that doesn't mean that the package is not useful or that you don't use it.

+ *Only remove what you are sure you don't need*.

+ 

+ ====

+ 

+ [[sect-resolving-post-upgrade-issues]]

+ == Resolving Post-Upgrade Issues

+ 

+ [NOTE]

+ 

+ ====

+ 

+ Only follow these steps if you encounter problems with your upgraded system.

+ 

+ ====

+ 

+ [[sect-rebuilding-rpm-database]]

+ === Rebuilding the RPM Database

+ 

+ If you see warnings when working with RPM/DNF tools, your database might be corrupt.

+ It is possible to rebuild it to see if resolves your issues. Always back up `/var/lib/rpm/` first.

+ To rebuild the database, run:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo rpm --rebuilddb

+ 

+ ----

+ 

+ [[sect-using-distro-sync-to-resolve-dependency-issues]]

+ === Using distro-sync To Resolve Dependency Issues

+ 

+ The system upgrade tool uses `dnf distro-sync` by default.

+ If your system is partly upgraded or you see some package dependency issues, try running another distro-sync manually to see if this fixes the problem.

+ This will attempt to make your installed packages the same version in your currently enabled repositories, even if it must downgrade some packages:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf distro-sync

+ 

+ ----

+ 

+ You can also use the `--allowerasing` option will remove packages with dependencies that can not be satisfied.

+ Always review which packages will be removed before confirming this:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo dnf distro-sync --allowerasing

+ 

+ ----

+ 

+ [[sect-relabel-files-with-the-latest-selinux-policy]]

+ === Relabel Files With The Latest SELinux Policy

+ 

+ If you encounter any warnings regarding policies with SELinux, some files may have incorrect SELinux permissions. 

+ This may happen if SELinux was disabled at some point in the past.

+ To relabel the entire system run:

+ 

+ [source,bash]

+ 

+ ----

+ 

+ sudo touch /.autorelabel

+ 

+ ----

+ 

+ and reboot.

+ 

+ The boot process may take a long time as it is checking and fixing all SELinux permission labels on all the files in your system.

+ 

+ [[sect-frequently-asked-questions]]

+ == Frequently Asked Questions

+ 

+ [[sect-how-do-i-report-issues-with-the-upgrades]]

+ === How Do I Report Issues With The Upgrade?

+ 

+ . See link:++https://fedoraproject.org/wiki/Bugs/Common++[Common bugs] to check if it is a known problem the community is already aware of.

+ 

+ . Search link:++https://bugzilla.redhat.com/buglist.cgi?product=Fedora&component=dnf-plugin-system-upgrade&resolution=---++[Bugzilla for an existing bug report].

+ 

+ If you do not see a report that matches your symptoms, you can file a new report from the search page.

+ Please follow the bug reporting instructions mentioned in the link:++https://github.com/rpm-software-management/dnf-plugin-system-upgrade/blob/master/README.md++[README from the github repo] or in `man dnf.plugin.system-upgrade`.

+ 

+ If you encounter any issues after the upgrade with a specific package, file a bug against the package with which you are having issues.

+ 

+ [[sect-does-dnf-system-upgrade-verify-the-software-it-runs-or-installs-during-an-upgrade]]

+ === Does DNF System Upgrade Verify The Software It Runs or Installs During An Upgrade?

+ 

+ Yes.

+ The package signing keys for the newer Fedora release are sent to older Fedora releases to allow DNF to verify the integrity of the downloaded packages.

+ You can disable this function if needed, but is not recommended as you will be open to attacks from malicious software.

+ 

+ [[sect-will-packages-in-third-party-repositories-be-upgraded]]

+ === Will Packages In Third-Party Repositories Be Upgraded?

+ 

+ Yes, if they are configured like regular DNF repositories and the version numbers are not hard-coded in the repository file (usually found in `/etc/yum.repos.d/`.)

+ Commonly used third-party repositories like RPM Fusion should work.

+ However, if attempting to upgrade prior to, or soon after, an official Fedora release, they may not have updated their repository paths, and DNF may be unable to find their packages.

+ Usually, this should not prevent the upgrade from running successfully.

+ Also, you can update packages from the third-party repository later.

+ 

+ [[sect-can-i-upgrade-from-an-end-of-life-release]]

+ === Can I upgrade from an End-Of-Life (EOL) Release?

+ 

+ It is strongly recommended to upgrade an EOL release on any production system, or any system connected to the public internet.

+ 

+ Any upgrade from Fedora 20 or earlier is done *at your own risk* as DNF was not the default package management tool.

+ However, if you do have a release newer than Fedora 20 that is EOL, you can attempt to do an upgrade, but this method is *not supported*.

+ You may try to upgrade through intermediate releases until you reach a currently-supported release, or try to upgrade to a currently-supported release in a single operation.

+ Again this is un-supported and is *at your own risk*.

  

- [[rebuilding-rpm-database]]

- Rebuilding RPM database

- ^^^^^^^^^^^^^^^^^^^^^^^

+ [[sect-how-many-releases-can-i-upgrade-across-at-once]]

+ === Can I do a single upgrade across many releases (i.e. 20-27)?

  

- If you see warnings when working with RPM/DNF tools, your database might

- have gotten corrupted for some reason. It is possible to rebuild it and

- see if resolves your issues. Always back up `/var/lib/rpm/` first. To

- rebuild the database, run:

+ It is highly recommended to upgrade across just one release (e.g. 27 to 28).

+ However, for the first month or so after a new release, upgrades from the last-but-one release are 'supported' (N-2, where N is the current release).

+ The link:fedora-life-cycle.html++[Fedora Release Life Cycle] is specifically designed to provide this approximate one month "grace period" to allow users the choice to upgrade their systems on a yearly basis, or once every two releases.

  

- `$ sudo rpm --rebuilddb`

+ Around a month after the new release comes out, the last-but-one release becomes End Of Life (EOL).

+ The upgrade is likely to work successfully after the release goes end-of-life, but the time period after the new release may be uncertain.

  

- [[using-distro-sync-to-resolve-dependency-issues]]

- Using distro-sync to resolve dependency issues

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

+ Upgrades across more than two releases are *not supported*, and issues encountered with such upgrades may not be considered significant bugs.

  

- The system upgrade tool uses distro-sync method by default. If your

- system stayed partly unupgraded or you see some package dependency

- issues, you might try to fix it by running another distro-sync manually.

- This tries to make your installed packages exactly the same version as

- in currently enabled repositories, even if it meant downgrading some

- packages:

+ When upgrading across multiple releases, you may need to import the GPG key for the release you want to update to. You can do this with:

  

- `$ sudo dnf distro-sync`

+ [source,bash]

  

- A stronger variant also allows to remove package for which package

- dependencies can't be satisfied. Always carefully review which packages

- are going to be removed before confirming this:

+ ----

  

- `$ sudo dnf distro-sync --allowerasing`

+ gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-N-primary

  

- [[relabel-files-with-latest-selinux-policy]]

- Relabel files with latest SELinux policy

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

+ ----

  

- If you see warnings that some actions were not allowed because of

- current SELinux policy, it might be a case of having some files

- incorrectly label with SELinux permissions. This might happen in case of

- some bug or if you had SELinux disabled in some point of time in the

- past. You can relabel the whole system by running:

+ (where N is the Fedora version.)

  

- `$ sudo touch /.autorelabel`

+ Refer to the link:++https://getfedora.org/keys/faq/++[getfedora.org FAQ on Keys] for details.

  

- and rebooting. The next boot will take a long time and will check and

- fix all SELinux labels on all your files.

- '''

+ [[sect-can-i-use-dnf-system-upgrade-to-upgrade-to-a-pre-release]]

+ === Can I Use DNF System Upgrade To Upgrade To A Pre-Release (e.g. a Beta)?

  

- See a typo, something missing or out of date, or anything else which can be

- improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

+ Yes, but this is subject to temporary breakage as with any other aspect of a pre-release. 

\ No newline at end of file

file modified
+56 -157
@@ -1,201 +1,100 @@ 

+ [[chap-dnf]]

  = DNF

  

- '''

+ DNF is a software package manager that installs, updates, and removes packages on Fedora and is the successor to YUM (Yellow-Dog Updater Modified).

+ DNF makes it easy to maintain packages by automatically checking for dependencies and determines the actions required to install packages.

+ This method eliminates the need to manually install or update the package, and its dependencies, using the `rpm` command.

  

- [IMPORTANT]

- ======

+ [[sect-dnf-installation]]

+ == Installation

  

- This page was automatically converted from https://fedoraproject.org/wiki/DNF

+ DNF has replaced YUM as the default package manager for Fedora since version 22.

+ However, for earlier versions of Fedora, starting from version 18, DNF can be installed from the command-line with:

  

- It is probably

+ [source,bash]

  

- * Badly formatted

- * Missing graphics and tables that do not convert well from mediawiki

- * Out-of-date

- * In need of other love

+ ----

  

- Pull requests accepted at https://pagure.io/fedora-docs/quick-docs

+ yum install dnf

  

- Once you've fixed this page, remove this notice, and update

- `_topic_map.yml`.

+ ----

  

- Once the document is live, go to the original wiki page and replace its text

- with the following macro:

+ [[sect-usage]]

+ == Usage

  

- ....

- {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}

- ....

+ `dnf` can be used exactly as `yum` to search, install or remove packages.

  

- ======

+ To search the repositories for a package type:

  

- '''

+ [source,bash]

  

+ ----

  

- *DNF* is a software package manager that installs, updates, and removes

- link:package[packages] on RPM-based Linux distributions. It

- automatically computes dependencies and determines the actions required

- to install packages. DNF also makes it easier to maintain groups of

- machines, eliminating the need to manually update each one using rpm.

- Introduced in Fedora 18, it has been the default package manager since

- Fedora 22.

+ sudo dnf search packagename

  

- DNF or Dandified yum is the next generation version of yum. It roughly

- maintains CLI compatibility with yum and defines a strict API for

- extensions and plugins. Plugins can modify or extend features of DNF or

- provide additional CLI commands on top of those mentioned below. If you

- know the name of such a command (including commands mentioned bellow),

- you may find/install the package which provides it using the appropriate

- virtual provide in the form of dnf-command() where is the name of the

- command; e.g. dnf-command(repoquery) for a repoquery command (the same

- applies to specifying dependencies of packages that require a particular

- command).

+ ----

  

- [[features]]

- Features

- ~~~~~~~~

+ To install the package:

  

- * Support for multiple repositories

- * Simple configuration

- * Dependency calculation based on modern depsolving technology

- * Faster and less memory-intensive operation

- * RPM-consistent behavior

- * Package group support, including multiple-repository groups

- * Simple interface

- * Documented, solid Python API

- * DNF runs in both Python 2 and Python 3

- * C bindings for lower level libraries:

- ** hawkey for package querying and depsolving. PackageKit is already

- making use of hawkey

- ** librepo for repo operations. PackageKit is already making use of

- librepo

- ** libcomps for comps operations

+ [source,bash]

  

- [[available-commands]]

- Available commands

- ~~~~~~~~~~~~~~~~~~

+ ----

  

- autoremove

+ sudo dnf install packagename

  

- check-update

+ ----

  

- clean

+ To remove a package:

  

- distro-sync

+ [source,bash]

  

- downgrade

+ ----

  

- group

+ sudo dnf remove packagename

  

- help

+ ----

  

- history

+ Other common DNF commands include:

  

- info

+ * `autoremove` - removes packages installed as dependencies that are no longer required by currently installed programs.

  

- install

+ * `check-update` - checks for updates, but does not download or install the packages.

  

- list

+ * `downgrade` - reverts to the previous version of a package.

  

- makecache

+ * `info` - provides basic information about the package including name, version, release, and description.

  

- mark

+ * `reinstall` - reinstalls the currently installed package.

  

- provides

+ * `update/upgrade` - checks the repositories for newer packages and updates them.

  

- reinstall

+ For more DNF commands refer to the man pages by typing `man dnf` at the command-line, or link:++http://dnf.readthedocs.io/en/latest/command_ref.html[DNF Read The Docs]

  

- remove

+ [[sect-automatic-updates]]

+ == Automatic Updates

  

- repolist

+ The `dnf-automatic` package is a component that allows automatic download and installation of updates.

+ It can automatically monitor and report, via e-mail, the availability of updates or send a log about downloaded packages and installed updates.

  

- repository-packages

+ For more information, refer to the link:++http://dnf.readthedocs.org/en/latest/automatic.html[Read the Docs: DNF-Automatic] page.

  

- search

+ [[sect-system-upgrades]]

+ == System Upgrades

  

- updateinfo

+ The Fedora system can be upgraded directly with DNF, or with the DNF system upgrade plugin.

+ Refer to the link:++upgrading.html++[Upgrade] document for more details.

  

- upgrade

+ [[sect-language-support-using-dnf]]

+ == Language Support Using DNF

  

- upgrade-to

+ DNF can be used to install or remove Language Support.

+ A detailed description with a list of available languages can be found on link:++https://fedoraproject.org/wiki/I18N/Language_Support_Using_Dnf[Language Support Using Dnf] page.

  

- [[installation]]

- Installation

- ~~~~~~~~~~~~

+ [[sect-references]]

+ == References

  

- DNF comes with Fedora since version 18, but DNF can installed by using

- the yum Command:

+ . http://dnf.readthedocs.org/en/latest/command_ref.html[DNF Command Reference]

  

- ....

- # yum install dnf

- ....

+ . http://dnf.baseurl.org/[DNF blog]

  

- As of Fedora 22, yum has been replaced with DNF and doesn't need to be

- install.

- 

- [[usage]]

- Usage

- ~~~~~

- 

- In the basic methods, DNF can be used almost exactly as yum to search,

- install or remove packages:

- 

- ....

- # dnf search audacity 

- ....

- 

- ....

- # dnf install audacity 

- ....

- 

- ....

- # dnf remove audacity 

- ....

- 

- [[automatic-updates]]

- Automatic Updates

- ^^^^^^^^^^^^^^^^^

- 

- The DNF-Automatic RPM package as a DNF component provides a service for

- automatic download and installation of updates. It can automatically

- monitor and report via email availability of updates, or send a log

- about downloaded packages and installed updates. See AutoUpdates section

- or http://dnf.readthedocs.org/en/latest/automatic.html[DNF-Automatic]

- page.

- 

- [[system-upgrades]]

- System Upgrades

- ^^^^^^^^^^^^^^^

- 

- Fedora Products can be upgraded with DNF system upgrade plugin or

- directly with DNF. See Upgrade section.

- 

- [[language-support-using-dnf]]

- Language Support Using Dnf

- ^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- DNF can be used to install or remove Language Support. A detailed

- description with a list of available languages can be found on

- https://fedoraproject.org/wiki/I18N/Language_Support_Using_Dnf[Language

- Support Using Dnf] page.

- 

- [[documentation]]

- Documentation

- ~~~~~~~~~~~~~

- 

- \1. http://dnf.readthedocs.org/[Documentation Index]

- 

- \2. http://dnf.readthedocs.org/en/latest/command_ref.html[Command

- Reference]

- 

- \3. http://dnf.baseurl.org/[DNF blog]

- 

- \4. https://github.com/rpm-software-management/dnf/wiki[DNF wiki]

- 

- \5. Changes/DNF-2.0

- 

- Category:Documentation Category:Software_Management[Category:Software

- Management]

- '''

- 

- See a typo, something missing or out of date, or anything else which can be

- improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

+ . https://github.com/rpm-software-management/dnf/wiki[DNF wiki] 

\ No newline at end of file

file modified
+92 -1118
@@ -1,1192 +1,166 @@ 

- = Firewalld

+ [[ch-FirewallD]]

+ = FirewallD

  

- '''

+ [[sect-what-is-firewalld]]

+ == What is FirewallD?

  

- [IMPORTANT]

- ======

+ FirewallD allows users to control which network ports they want opened, or closed, to keep their system secure from unauthorized access.

+ FirewallD is integrated with SystemD and NetworkManager, and supports IPv4, IPv6 and ethernet bridges.

+ It also supports an interface for services and applications to add firewall rules directly.

+ These settings can be controlled from the command-line, or with the `firewall-config` graphic-user-interface.

  

- This page was automatically converted from https://fedoraproject.org/wiki/Firewalld

+ [[sect-do-i-have-firewalld-on-my-system]]

+ == Do I have FirewallD on my system?

+ FirewallD is the default firewall service for current releases of Fedora and is enabled by default.

+ To check if your system has FirewallD enabled, at the command-line, type:

  

- It is probably

+ [source,bash]

  

- * Badly formatted

- * Missing graphics and tables that do not convert well from mediawiki

- * Out-of-date

- * In need of other love

+ ----

  

+ sudo firewall-cmd --state

  

- Pull requests accepted at https://pagure.io/fedora-docs/quick-docs

+ ----

  

- Once you've fixed this page, remove this notice, and update

- `_topic_map.yml`.

+ This command will show if it is `running` or `not running`

  

- Once the document is live, go to the original wiki page and replace its text

- with the following macro:

+ If FirewallD is `not running`, type:

  

- ....

- {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}

- ....

+ [source,bash]

  

- ======

+ ----

  

- '''

+ sudo systemctl enable --now firewalld

  

+ ----

  

- [[dynamic-firewall-with-firewalld]]

- Dynamic firewall with firewalld

- -------------------------------

+ This will enable the FirewallD service when booting the system, and immediately start the service.

  

- firewalld provides a dynamically managed firewall with support for

- network/firewall zones to define the trust level of network connections

- or interfaces. It has support for IPv4, IPv6 firewall settings and for

- ethernet bridges and has a separation of runtime and permanent

- configuration options. It also supports an interface for services or

- applications to add firewall rules directly.

+ If these commands do not work, FirewallD may not be installed. To install it, type:

  

- The former firewall model with system-config-firewall/lokkit was static

- and every change required a complete firewall restart. This included

- also to unload the firewall netfilter kernel modules and to load the

- modules that are needed for the new configuration. The unload of the

- modules was breaking stateful firewalling and established connections.

+ [source,bash]

  

- The firewall daemon on the other hand manages the firewall dynamically

- and applies changes without restarting the whole firewall. Therefore

- there is no need to reload all firewall kernel modules. But using a

- firewall daemon requires that all firewall modifications are done with

- that daemon to make sure that the state in the daemon and the firewall

- in kernel are in sync. The firewall daemon can not parse firewall rules

- added by the ip*tables and ebtables command line tools.

+ ----

  

- The daemon provides information about the current active firewall

- settings via D-BUS and also accepts changes via D-BUS using PolicyKit

- authentication methods.

+ sudo dnf install firewalld

  

- The official firewalld homepage is at

- http://firewalld.org/[firewalld.org]

+ ----

  

- [[the-daemon]]

- The Daemon

- ~~~~~~~~~~

+ To install the FirewallD graphical-user-interface application and open it from the command-line, type:

  

- Applications, daemons and the user can request to enable a firewall

- feature over D-BUS. A feature could either be one of the predefined

- firewall features like services, port and protocol combinations,

- port/packet forwarding, masquerading or icmp blocking. The feature can

- be enabled for a certain amount of time or can be disabled by again.

+ [source,bash]

  

- With the so called direct interface other services (like for example

- libvirt) are able to add own rules using iptables arguments and

- parameters.

+ ----

  

- The netfilter firewall helpers, that are for example used for amanda,

- ftp, samba and tftp services, are also handled by the daemon as long as

- they are part of a predefined service. Loading of additional helpers is

- not part of the current interface. For some of the helpers unloading is

- only possible after all connections that are handled by the module are

- closed. Therefore connection tracking information is important here and

- needs to be taken into account.

+ sudo dnf install firewall-config

  

- [[static-firewall-system-config-firewalllokkit]]

- Static Firewall (system-config-firewall/lokkit)

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ sudo firewall-config

  

- The actual static firewall model with system-config-firewall and lokkit

- will still be available and usable, but not at the same time as the

- daemon is running. The user or admin can decide which firewall solution

- should be used by enabling the corresponding services.

+ ----

  

- It is planned to add a selector for the firewall solution to be used at

- install time or in first boot. The configuration of the other solution

- will stay intact and can be enabled simply by switching to the other

- model.

+ [[sect-opening-and-closing-ports-with-firewalld]]

+ == Opening and closing ports with FirewallD

  

- The firewall daemon is independent to system-config-firewall, but should

- not be used at the same time.

+ Opening ports with FirewallD can be executed from the command-line without the need to edit configuration files.

+ Ports can be opened using either the service name, or the port number.

+ For example, to allow access to the SSH service, type:

  

- [[using-static-firewall-rules-with-the-iptables-and-ip6tables-services]]

- Using static firewall rules with the iptables and ip6tables services

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ [source,bash]

  

- If you want to use your own static firewall rules with the iptables and

- ip6tables services, install iptables-services and disable firewalld and

- enable iptables and ip6tables:

+ ----

  

- `dnf install iptables-services` +

- `systemctl mask firewalld.service` +

- `systemctl enable iptables.service` +

- `systemctl enable ip6tables.service`

+ sudo firewall-cmd --add-service ssh

  

- Use /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for your static

- firewall rules.

+ ----

  

- Note: The package iptables and iptables-services do not provide firewall

- rules for use with the services. The services are available for

- compatibility and people that want to use their own firewall rules. You

- can install and use system-config-firewall to create rules with the

- services though. To be able to use system-config-firewall, you have to

- stop firewalld.

- 

- After creating rules for use with the services stop firewalld and start

- the iptables and ip6tables services:

- 

- `systemctl stop firewalld.service` +

- `systemctl start iptables.service` +

- `systemctl start ip6tables.service`

- 

- [[what-is-a-zone]]

- What is a zone?

- ~~~~~~~~~~~~~~~

- 

- A network zone defines the level of trust for network connections. This

- is a one to many relation, which means that a connection can only be

- part of one zone, but a zone can be used for many network connections.

- 

- [[predefined-services]]

- Predefined services

- ^^^^^^^^^^^^^^^^^^^

- 

- A service is a combination of port and/or protocol entries. Optionally

- netfilter helper modules can be added and also a IPv4 and IPv6

- destination address.

- 

- [[ports-and-protocols]]

- Ports and protocols

- ^^^^^^^^^^^^^^^^^^^

+ If allowing access by the port number, it needs to be followed by the protocol whether it is TCP or UDP.

+ To open SSH by its port, type:

  

- Definition of tcp or udp ports, where ports can be a single port or a

- port range.

+ [source,bash]

  

- [[icmp-blocks]]

- ICMP blocks

- ^^^^^^^^^^^

+ ----

  

- Selected Internet Control Message Protocol (ICMP) messages. These

- messages are either information requests or created as a reply to

- information requests or in error conditions.

+ sudo firewall-cmd --add-port=22/tcp

  

- [[masquerading]]

- Masquerading

- ^^^^^^^^^^^^

+ ----

  

- The addresses of a private network are mapped to and hidden behind a

- public IP address. This is a form of address translation.

- 

- [[forward-ports]]

- Forward ports

- ^^^^^^^^^^^^^

- 

- A port is either mapped to another port and/or to another host.

- 

- [[which-zones-are-available]]

- Which zones are available?

- ~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- These are the zones provided by firewalld sorted according to the

- default trust level of the zones from untrusted to trusted:

+ This will open the SSH port in runtime mode.

+ Runtime mode means it will run the change temporarily and will revert back to its original state after reloading the FirewallD service, or after a system reboot.

+ To keep the SSH port opened after a FirewallD service restart, or system reboot, include the `--permanent` option, type:

  

- [[drop]]

- drop

- ^^^^

+ [source,bash]

+ ----

  

- Any incoming network packets are dropped, there is no reply. Only

- outgoing network connections are possible.

+ sudo firewall-cmd --permanent --add-service ssh

  

- [[block]]

- block

- ^^^^^

+ ----

  

- Any incoming network connections are rejected with an

- icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6.

- Only network connections initiated within this system are possible.

+ or by port number:

  

- [[public]]

- public

- ^^^^^^

+ [source,bash]

  

- For use in public areas. You do not trust the other computers on

- networks to not harm your computer. Only selected incoming connections

- are accepted.

+ ----

  

- [[external]]

- external

- ^^^^^^^^

+ sudo firewall-cmd --permanent --add-port=22/tcp

  

- For use on external networks with masquerading enabled especially for

- routers. You do not trust the other computers on networks to not harm

- your computer. Only selected incoming connections are accepted.

+ ----

  

- [[dmz]]

- dmz

- ^^^

- 

- For computers in your demilitarized zone that are publicly-accessible

- with limited access to your internal network. Only selected incoming

- connections are accepted.

+ To save the changes:

  

- [[work]]

- work

- ^^^^

+ [source,bash]

  

- For use in work areas. You mostly trust the other computers on networks

- to not harm your computer. Only selected incoming connections are

- accepted.

+ ----

  

- [[home]]

- home

- ^^^^

+ sudo firewall-cmd --reload

  

- For use in home areas. You mostly trust the other computers on networks

- to not harm your computer. Only selected incoming connections are

- accepted.

+ ----

  

- [[internal]]

- internal

- ^^^^^^^^

+ To block access to the SSH service:

  

- For use on internal networks. You mostly trust the other computers on

- the networks to not harm your computer. Only selected incoming

- connections are accepted.

+ [source,bash]

  

- [[trusted]]

- trusted

- ^^^^^^^

+ ----

  

- All network connections are accepted.

+ sudo firewall-cmd --remove-service ssh

  

- [[which-zone-should-be-used]]

- Which zone should be used?

- ~~~~~~~~~~~~~~~~~~~~~~~~~~

+ ----

  

- A public WIFI network connection for example should be mainly untrusted,

- a wired home network connection should be fairly trusted. Select the

- zone that best matches the network you are using.

+ To block access by port number:

  

- [[how-to-configure-or-add-zones]]

- How to configure or add zones?

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ ----

  

- To configure or add zones you can either use one of the firewalld

- interfaces to handle and change the configuration. These are the

- graphical configuration tool firewall-config, the command line tool

- firewall-cmd or the D-BUS interface. Or you can create or copy a zone

- file in one of the configuration directories.

- @PREFIX@/lib/firewalld/zones is used for default and fallback

- configurations and /etc/firewalld/zones is used for user created and

- customized configuration files.

+ sudo firewall-cmd --remove-port=22/tcp

  

- [[how-to-set-or-change-a-zone-for-a-connection]]

- How to set or change a zone for a connection

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ ----

  

- The zone is stored into the ifcfg of the connection with the ZONE=

- option. If the option is missing or empty, the default zone set in

- firewalld is used.

+ Again, add the `--permanent` option to make it persistent, and don't forget to do `firewall-cmd --reload` to save the changes.

  

- If the connection is controlled by NetworkManager, you can also use

- nm-connection-editor to change the zone.

+ [[sect-how-can-i-see-the-services-recognized-by-firewalld]]

+ == How can I see the services recognized by FirewallD?

  

- [[network-connections-handled-by-networkmanager]]

- Network connections handled by NetworkManager

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ To see a list of all the services recognized by FirewallD, type:

  

- The firewall is not able to handle network connections with the name

- shown by NetworkManager, it can only handle network interfaces.

- Therefore NetworkManager tells firewalld to put the network interfaces

- related to the connections in the zones defined by the config file

- (ifcfg) of the connection before the connection comes up. If the zone is

- not set in the config file, the interfaces will be put in the default

- zone set by firewalld. If a connection has more than one interfaces,

- both will be supplied to firewalld. Also changes in the names of

- interfaces will be handled by NetworkManager and supplied to firewalld.

+ [source,bash]

  

- To simplify this connections will be used as related to zones from now

- on.

+ ----

  

- NetworkManager also tells firewalld to remove connections from zones

- again if the connection went down.

+ sudo firewall-cmd --get-services

  

- If firewalld gets started or restarted by systemd or init scripts,

- firewalld notifies NetworkManager and the connections will be added to

- the zones.

+ ----

  

- [[network-connections-handled-by-network-scripts]]

- Network connections handled by network scripts

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ To view a list of services "turned-on" in FirewallD, type:

  

- For connections handled by network scripts there a limitations: There is

- no daemon that can tell firewalld to add connections to zones. This is

- done in the ifcfg-post script only. Therefore changes in names after

- this can not be supplied to firewalld. Also starting or restarting

- firewalld if the connections are active already results in the loss of

- the relation. There are ideas to fix this also. The simplest is to push

- all connections to the default zone that are not set otherwise.

+ [source,bash]

  

- The zone defines the firewall features that are enabled in this zone.

+ ----

  

- [[working-with-firewalld]]

- Working with firewalld

- ~~~~~~~~~~~~~~~~~~~~~~

+ sudo firewall-cmd --list-services

  

- To enable or disable firewall features for example in zones, you can

- either use the graphical configuration tool *firewall-config* or the

- command line client *firewall-cmd*

+ ----

  

- [[using-firewall-cmd]]

- Using firewall-cmd

- ^^^^^^^^^^^^^^^^^^

+ [[sect-additional-resources]]

+ == Additional Resources

  

- The command line client *firewall-cmd* supports all firewall features.

- For status and query modes, there is no output, but the command returns

- the state.

+ For more information about configuring FirewallD, such as how to list and change zones, port forwarding, and other system administrative tasks, refer to the FirewallD documentation at link:++http://www.firewalld.org/++[firewalld.org], the link:++https://fedoraproject.org/wiki/Firewalld++[Fedora Wiki: FirewallD].

  

- [[generic-use]]

- Generic use

- +++++++++++

- 

- * Get the status of firewalld

- 

- ` firewall-cmd --state`

- 

- This returns the status of firewalld, there is no output. To get a

- visual state use:

- 

- ` firewall-cmd --state && echo "Running" || echo "Not running"`

- 

- As of Fedora 19, the status seems printed just fine:

- 

- ` # rpm -qf $( which firewall-cmd )` +

- ` firewalld-0.3.3-2.fc19.noarch` +

- ` # firewall-cmd --state` +

- ` not running`

- 

- * Reload the firewall without losing state information:

- 

- ` firewall-cmd --reload`

- 

- If you are using *--complete-reload* instead, the state information will

- be lost. This option should only be used in case of severe firewall

- problems for example if there are state information problems that no

- connection can be established but the firewall rules are correct.

- 

- * Get a list of all supported zones

- 

- ` firewall-cmd --get-zones`

- 

- This command prints a space separated list.

- 

- * Get a list of all supported services

- 

- ` firewall-cmd --get-services`

- 

- This command prints a space separated list.

- 

- * Get a list of all supported icmptypes

- 

- ` firewall-cmd --get-icmptypes`

- 

- This command prints a space separated list.

- 

- * List all zones with the enabled features.

- 

- ` firewall-cmd --list-all-zones`

- 

- The output format is:

- 

- ` ` +

- `   interfaces: `` ..` +

- `   services: `` ..` +

- `   ports: `` ..` +

- `   forward-ports: `` ..` +

- `   icmp-blocks: `` ..` +

- `   ` +

- `   ..`

- 

- * Print zone with the enabled features. If zone is omitted, the default

- zone will be used.

- 

- ` firewall-cmd [--zone=``] --list-all`

- 

- * Get the default zone set for network connections

- 

- ` firewall-cmd --get-default-zone`

- 

- * Set the default zone

- 

- ` firewall-cmd --set-default-zone=`

- 

- All interfaces that are located in the default zone will be pushed in

- the new default zone, that defines the limitations for new external

- initiated connection attempts. Active connections are not affected.

- 

- * Get active zones

- 

- ` firewall-cmd --get-active-zones`

- 

- The command prints the interfaces that are set to be part of a zone in

- this form:

- 

- ` ``: `` `` ..` +

- ` ``: `` ..`

- 

- * Get zone related to an interface

- 

- ` firewall-cmd --get-zone-of-interface=`

- 

- This prints the zone name, if the interface is part of a zone

- 

- * Add an interface to a zone

- 

- ` firewall-cmd [--zone=``] --add-interface=`

- 

- Add an interface to a zone, if it was not in a zone before. If the zone

- options is omitted, the default zone will be used. The interfaces are

- reapplied after reloads.

- 

- * Change the zone an interface belongs to

- 

- ` firewall-cmd [--zone=``] --change-interface=`

- 

- This is similar to the --add-interface options, but pushes the interface

- in the new zone even if it was in another zone before.

- 

- * Remove an interface from a zone

- 

- ` firewall-cmd [--zone=``] --remove-interface=`

- 

- * Query if an interface is in a zone

- 

- ` firewall-cmd [--zone=``] --query-interface=`

- 

- Returns if the interface is in the zone. There is no output.

- 

- * List the enabled services in a zone

- 

- ` firewall-cmd [ --zone=`` ] --list-services`

- 

- * Enable panic mode to block all network traffic in case of emergency

- 

- ` firewall-cmd --panic-on`

- 

- * Disable panic mode

- 

- ` firewall-cmd --panic-off`

- 

- * Query panic mode

- 

- ` firewall-cmd --query-panic`

- 

- This returns the state of the panic mode, there is no output. To get a

- visual state use

- 

- ` firewall-cmd --query-panic && echo "On" || echo "Off"`

- 

- [[runtime-zone-handling]]

- Runtime zone handling

- +++++++++++++++++++++

- 

- In the runtime mode the changes to zones are not permanent. The changes

- will be gone after reload or restart.

- 

- * Enable a service in a zone

- 

- ` firewall-cmd [--zone=``] --add-service=`` [--timeout=``]`

- 

- This enables a service in a zone. If zone is not set, the default zone

- will be used. If timeout is set, the service will only be enabled for

- the amount of seconds in the zone. If the service is already active,

- there will be no warning message.

- 

- * *Example:* Enable ipp-client service for 60 seconds in the home zone:

- 

- ` firewall-cmd --zone=home --add-service=ipp-client --timeout=60`

- 

- * *Example:* Enable the http service in the default zone:

- 

- ` firewall-cmd --add-service=http`

- 

- * Disable a service in a zone

- 

- ` firewall-cmd [--zone=``] --remove-service=`

- 

- This disables a service in a zone. If zone is not set, the default zone

- will be used.

- 

- * *Example:* Disable http service in the home zone:

- 

- ` firewall-cmd --zone=home --remove-service=http`

- 

- The service will be disabled in the zone. If the service is not enabled

- in the zone, there will be an warning message.

- 

- * Query if a service is enabled in a zone

- 

- ` firewall-cmd [--zone=``] --query-service=`

- 

- This returns 1 if the service is enabled in the zone, otherwise 0. There

- is no output.

- 

- * Enable a port and protocol combination in a zone

- 

- ` firewall-cmd [--zone=``] --add-port=``[-``]/`` [--timeout=``]`

- 

- This enables a port and protocol combination. The port can be a single

- port or a port range -. The protocol can be either *tcp* or *udp*.

- 

- * Disable a port and protocol combination in a zone

- 

- ` firewall-cmd [--zone=``] --remove-port=``[-``]/`

- 

- * Query if a port and protocol combination in enabled in a zone

- 

- ` firewall-cmd [--zone=``] --query-port=``[-``]/`

- 

- This command returns if it is enabled, there is no output.

- 

- * Enable masquerading in a zone

- 

- ` firewall-cmd [--zone=``] --add-masquerade`

- 

- This enables masquerading for the zone. The addresses of a private

- network are mapped to and hidden behind a public IP address. This is a

- form of address translation and mostly used in routers. Masquerading is

- IPv4 only because of kernel limitations.

- 

- * Disable masquerading in a zone

- 

- ` firewall-cmd [--zone=``] --remove-masquerade`

- 

- * Query masquerading in a zone

- 

- ` firewall-cmd [--zone=``] --query-masquerade`

- 

- This command returns if it is enabled, there is no output.

- 

- * Enable ICMP blocks in a zone

- 

- ` firewall-cmd [--zone=``] --add-icmp-block=`

- 

- This enabled the block of a selected Internet Control Message Protocol

- (ICMP) message. ICMP messages are either information requests or created

- as a reply to information requests or in error conditions.

- 

- * Disable ICMP blocks in a zone

- 

- ` firewall-cmd [--zone=``] --remove-icmp-block=`

- 

- * Query ICMP blocks in a zone

- 

- ` firewall-cmd [--zone=``] --query-icmp-block=`

- 

- This command returns if it is enabled, there is no output.

- 

- * *Example:* Block echo-reply messages in the public zone:

- 

- ` firewall-cmd --zone=public --add-icmp-block=echo-reply`

- 

- * Enable port forwarding or port mapping in a zone

- 

- ` firewall-cmd [--zone=``] --add-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`

- 

- | :toport=[-]:toaddr=

- 

- }

- 

- The port is either mapped to the same port on another host or to another

- port on the same host or to another port on another host. The port can

- be a singe port or a port range -. The protocol is either *tcp* or

- *udp*. toport is either port or a port range -. toaddr is an IPv4

- address. Port forwarding is IPv4 only because of kernel limitations.

- 

- * Disable port forwarding or port mapping in a zone

- 

- ` firewall-cmd [--zone=``] --remove-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`

- 

- | :toport=[-]:toaddr=

- 

- }

- 

- * Query port forwarding or port mapping in a zone

- 

- ` firewall-cmd [--zone=``] --query-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`

- 

- | :toport=[-]:toaddr=

- 

- }

- 

- This command returns if it is enabled, there is no output.

- 

- * *Example:* Forward ssh to host 127.0.0.2 in the home zone

- 

- ` firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2`

- 

- [[permanent-zone-handling]]

- Permanent zone handling

- +++++++++++++++++++++++

- 

- The permanent options are not affecting runtime directly. These options

- are only available after a reload or restart. To have runtime and

- permanent setting, you need to supply both. The *--permanent* option

- needs to be the first option for all permanent calls.

- 

- * Get a list of supported permanent services

- 

- ` firewall-cmd --permanent --get-services`

- 

- * Get a list of supported permanent icmptypes

- 

- ` firewall-cmd --permanent --get-icmptypes`

- 

- * Get a list of supported permanent zones

- 

- ` firewall-cmd --permanent --get-zones`

- 

- * Enable a service in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --add-service=`

- 

- This enables the service in the zone permanently. If the zone option is

- omitted, the default zone is used.

- 

- * Disable a service in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --remove-service=`

- 

- * Query if a service is enabled in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --query-service=`

- 

- This command returns if it is enabled, there is no output.

- 

- * *Example:* Enable service ipp-client permanently in the home zone

- 

- ` firewall-cmd --permanent --zone=home --add-service=ipp-client`

- 

- * Enable a port and protocol combination permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --add-port=``[-``]/`

- 

- * Disable a port and protocol combination permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --remove-port=``[-``]/`

- 

- * Query if a port and protocol combination is enabled permanently in a

- zone

- 

- ` firewall-cmd --permanent [--zone=``] --query-port=``[-``]/`

- 

- This command returns if it is enabled, there is no output.

- 

- * *Example:* Enable port 443/tcp for https permanently in the home zone

- 

- ` firewall-cmd --permanent --zone=home --add-port=443/tcp`

- 

- * Enable masquerading permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --add-masquerade`

- 

- This enables masquerading for the zone. The addresses of a private

- network are mapped to and hidden behind a public IP address. This is a

- form of address translation and mostly used in routers. Masquerading is

- IPv4 only because of kernel limitations.

- 

- * Disable masquerading permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --remove-masquerade`

- 

- * Query masquerading permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --query-masquerade`

- 

- This command returns if it is enabled, there is no output.

- 

- * Enable ICMP blocks permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --add-icmp-block=`

- 

- This enabled the block of a selected Internet Control Message Protocol

- (ICMP) message. ICMP messages are either information requests or created

- as a reply to information requests or in error conditions.

- 

- * Disable ICMP blocks permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --remove-icmp-block=`

- 

- * Query ICMP blocks permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --query-icmp-block=`

- 

- This command returns if it is enabled, there is no output.

- 

- * *Example:* Block echo-reply messages in the public zone:

- 

- ` firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply`

- 

- * Enable port forwarding or port mapping permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --add-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`

- 

- | :toport=[-]:toaddr=

- 

- }

- 

- The port is either mapped to the same port on another host or to another

- port on the same host or to another port on another host. The port can

- be a singe port or a port range -. The protocol is either *tcp* or

- *udp*. toport is either port or a port range -. toaddr is an IPv4

- address. Port forwarding is IPv4 only because of kernel limitations.

- 

- * Disable port forwarding or port mapping permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --remove-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`

- 

- | :toport=[-]:toaddr=

- 

- }

- 

- * Query port forwarding or port mapping permanently in a zone

- 

- ` firewall-cmd --permanent [--zone=``] --query-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`

- 

- | :toport=[-]:toaddr=

- 

- }

- 

- This command returns if it is enabled, there is no output.

- 

- * *Example:* Forward ssh to host 127.0.0.2 in the home zone

- 

- ` firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2`

- 

- [[direct-options]]

- Direct options

- ++++++++++++++

- 

- The direct options give a more direct access to the firewall. These

- options require user to know basic iptables concepts, i.e. table

- (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands

- (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets

- (ACCEPT/DROP/REJECT/...). Direct options should be used only as a last

- resort when it's not possible to use for example --add-service=service

- or --add-rich-rule='rule'. The first argument of each option has to be

- *ipv4* or *ipv6* or *eb*. With *ipv4* it will be for IPv4 (iptables(8)),

- with *ipv6* for IPv6 (ip6tables(8)) and with *eb* for ethernet bridges

- (ebtables(8)).

- 

- * Pass a command through to the firewall. can be all iptables, ip6tables

- and ebtables command line arguments

- 

- ` firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args>`

- 

- * Add a new chain to a table <table>.

- 

- ` firewall-cmd [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain>`

- 

- * Remove a chain with name from table <table>.

- 

- ` firewall-cmd [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain>`

- 

- * Query if a chain with name exists in table <table>. Returns 0 if true,

- 1 otherwise.

- 

- ` firewall-cmd [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain>`

- 

- This command returns if it is enabled, there is no output.

- 

- * Get all chains added to table <table> as a space separated list.

- 

- ` firewall-cmd [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } <table>`

- 

- * Add a rule with the arguments to chain in table <table> with priority

- .

- 

- ` firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>`

- 

- * Remove a rule with the arguments from chain in table <table>.

- 

- ` firewall-cmd [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args>`

- 

- * Query if a rule with the arguments exists in chain in table <table>.

- Returns 0 if true, 1 otherwise.

- 

- ` firewall-cmd [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args>`

- 

- This command returns if it is enabled, there is no output.

- 

- * Get all rules added to chain in table <table> as a newline separated

- list of arguments.

- 

- ` firewall-cmd [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain>`

- 

- [[the-current-firewalld-features]]

- The current firewalld features

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- [[d-bus-interface]]

- D-BUS Interface

- ^^^^^^^^^^^^^^^

- 

- The D-BUS interface gives information about the firewall state and makes

- it possible to enable, disable and query firewall settings.

- 

- [[zones]]

- Zones

- ^^^^^

- 

- A network or firewall zone defines the trust level of the interface used

- for a connection. There are several pre-defined zones provided by

- firewalld. Zone configuration options and generic file information are

- described in the firewalld.zone(5) man page.

- 

- [[services]]

- Services

- ^^^^^^^^

- 

- A service can be a list of local ports and destinations and additionally

- also a list of firewall helper modules automatically loaded if a service

- is enabled. The use of predefined services makes it easier for the user

- to enable and disable access to a service. Service configuration options

- and generic file information are described in the firewalld.service(5)

- man page.

- 

- [[icmp-types]]

- ICMP types

- ^^^^^^^^^^

- 

- The Internet Control Message Protocol (ICMP) is used to exchange

- information and also error messages in the Internet Protocol (IP). ICMP

- types can be used in firewalld to limit the exchange of these messages.

- ICMP type configuration options and generic file information are

- described in the firewalld.icmptype(5) man page.

- 

- [[direct-interface]]

- Direct interface

- ^^^^^^^^^^^^^^^^

- 

- The direct interface is mainly used by services or applications to add

- specific firewall rules.

- 

- [[runtime-configuration]]

- Runtime configuration

- ^^^^^^^^^^^^^^^^^^^^^

- 

- The runtime configuration is not permanent and will only be restored for

- a reload. After restart or stop of the service or a system reboot, these

- options will be gone.

- 

- [[permanent-configuration]]

- Permanent configuration

- ^^^^^^^^^^^^^^^^^^^^^^^

- 

- The permanent configuration is stored in config files and will be

- restored with every machine boot or service reload or restart.

- 

- [[tray-applet]]

- Tray Applet

- ^^^^^^^^^^^

- 

- The tray applet *firewall-applet* visualizes the firewall state and also

- problems with the firewall for the user. It can also be used to

- configure settings by calling *firewall-config*.

- 

- [[graphical-configuration-tool]]

- Graphical Configuration Tool

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- The configuration tool *firewall-config* is the main configuration tool

- for the firewall daemon. It supports all features of the firewall

- besides the direct interface, this is handled by the service/application

- that added the rules.

- 

- [[command-line-client]]

- Command Line client

- ^^^^^^^^^^^^^^^^^^^

- 

- The command line client *firewall-cmd* supports all firewall features.

- For status and query modes, there is no output, but the command returns

- the state.

- 

- For offline use there is also *firewall-offline-cmd*. This command line

- client is creating firewalld configuration files directly and is not

- using firewalld or the D-Bus interface. It is for example used in the

- system installation process to create an initial firewall configuration

- from the kickstart settings.

- 

- [[support-for-ebtables]]

- Support for ebtables

- ^^^^^^^^^^^^^^^^^^^^

- 

- ebtables support is needed to fulfill all needs of the libvirt daemon

- and to prevent access problems between ip*tables and ebtables on kernel

- netfilter level. All these commands are accessing the same structures

- and therefore they should not be used at the same time.

- 

- [[defaultfallback-configuration-in-usrlibfirewalld]]

- Default/Fallback configuration in /usr/lib/firewalld

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- This directory contains the default and fallback configuration provided

- by firewalld for icmptypes, services and zones. The files provided with

- the firewalld package should not get changed and the changes are gone

- with an update of the firewalld package. Additional icmptypes, services

- and zones can be provided with packages or by creating files.

- 

- [[system-configuration-settings-in-etcfirewalld]]

- System configuration settings in /etc/firewalld

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- The system or user configuration stored here is either created by the

- system administrator or by customization with the configuration

- interface of firewalld or by hand. The files will overload the default

- configuration files.

- 

- To manually change settings of pre-defined icmptypes, zones or services,

- copy the file from the default configuration directory to the

- corresponding directory in the system configuration directory and change

- it accordingly.

- 

- If you are loading the defaults for a zone that has a default or

- fallback file, the file in /etc/firewalld will be renamed to .old and

- the fallback will be used again.

- 

- [[work-in-progress-features]]

- Work in Progress Features

- ~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- [[rich-language]]

- Rich Language

- ^^^^^^^^^^^^^

- 

- The rich language provides a high level language to be able to have more

- complex firewall rules for IPv4 and IPv6 without the knowledge of

- iptables syntax.

- 

- Fedora 19 provides milestone 2 of the rich language with D-Bus and

- command line client support. The milestone 3 will also provide support

- within firewall-config, the graphical configuration program.

- 

- For more information on this, please have a look at:

- https://fedoraproject.org/wiki/Features/FirewalldRichLanguage[firewalld

- Rich Language]

- 

- [[lockdown]]

- Lockdown

- ^^^^^^^^

- 

- Lockdown adds a simple configuration setting for firewalld to be able to

- lock down configuration changes from local applications or services. It

- is a very light version of application policies.

- 

- Fedora 19 provides milestone 2 of the lockdown feature with D-Bus and

- command line client support. The milestone 3 will also provide support

- within firewall-config, the graphical configuration program.

- 

- For more information on this, please have a look at:

- https://fedoraproject.org/wiki/Features/FirewalldLockdown[firewalld

- Lockdown]

- 

- [[permanent-direct-rules]]

- Permanent Direct Rules

- ^^^^^^^^^^^^^^^^^^^^^^

- 

- This feature is in early state. It provides the ability to permanently

- save direct rules and chains. Passthorough rules are not part of this.

- See link:Direct_options[Direct options] for more information on direct

- rules.

- 

- [[migration-from-iptables-and-ebtables-services]]

- Migration from ip*tables and ebtables services

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- This feature is in an very early state. It will provide a conversion

- script that creates direct permanent rules from the iptables, ip6tables

- and ebtables service configurations as far as possible. A limitation

- here might be the integration into the direct chains firewalld provides.

- 

- This needs lots of tests at best also from more complex firewall

- configurations.

- 

- [[planned-and-proposed-features]]

- Planned and Proposed Features

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- [[firewall-abstraction-model]]

- Firewall Abstraction Model

- ^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Adding an abstraction layer on top of ip*tables and ebtables firewall

- rules makes adding rules simple and more intuitive. The abstraction

- layer needs to be powerful, but also simple, which makes this not an

- easy task. A firewall language has to gen invented for this. Firewall

- rules have a fixed position and querying generic information about

- access state, access policies for ports and other firewall features is

- possible.

- 

- [[support-for-conntrack]]

- Support for conntrack

- ^^^^^^^^^^^^^^^^^^^^^

- 

- Conntrack is needed to be able to terminate established connections for

- features that get disabled. For some use cases it might not be good to

- terminate the connection: Enabling of a firewall service for a limited

- time to establish a persistent external connection.

- 

- [[user-interaction-mode]]

- User interaction mode

- ^^^^^^^^^^^^^^^^^^^^^

- 

- This is a special mode of in the firewall the user or admin can enable.

- All requests of applications to alter the firewall are directed to the

- user to get notified and granted or denied. It is possible to set a time

- limit for the acceptance of a connection and to limit it to hosts,

- networks or connections. It can be saved to behave the same in the

- future without notification.

- 

- An additional feature of this mode is direct external connection

- attempts on preselected services or ports to the user with the same

- features as the application initiated requests. The limitation on

- services and ports will also limit the amount of requests sent to the

- user.

- 

- [[user-policy-support]]

- User policy support

- ^^^^^^^^^^^^^^^^^^^

- 

- The administrator can define which users are able to use the User

- Interaction Mode and can also limit the firewall features, that can be

- used with it.

- 

- [[port-metadata-information-proposed-by-lennart-poettering]]

- Port metadata information (proposed by Lennart Poettering)

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- To have a port independent metadata information would be good to have.

- The current model with a static assignment of ports and protocols from

- /etc/services is not a good solution and is not reflecting current use

- cases. Ports in applications or services are dynamic and therefore the

- port itself does not describe the use case.

- 

- This metadata information could be used to form simple rules for the

- firewall. Here are some examples:

- 

- ` allow external access to file sharing applications or services` +

- ` allow external access to music sharing applications or services` +

- ` allow external access to all sharing applications or services` +

- ` allow external access to torrent file sharing applications or services` +

- ` allow external access to http web services`

- 

- The metadata information here could not only be application specific,

- but also a group of use cases. For example the "all sharing" group or

- the "file sharing" group could match all sharing or file sharing

- applications, for example torrent file sharing. These are examples,

- therefore it might be that they are not useful.

- 

- There are two possible solutions to get metadata information in the

- firewall:

- 

- The first is to add it to netfilter (kernel space). This has the

- advantage, that it can be used by everyone, but also limits the use. To

- get user or system specific information into account, all these need to

- be implemented in kernel space also.

- 

- The other one would be to add this to a firewall daemon. These abstract

- rules could be used together with information like the trust level of

- the network connections, the user decision to share with as specific

- person/host or the hard rule of the administrator to forbid sharing

- completely.

- 

- The second solution would have the advantage that new metadata groups or

- changes in incorporation of trust levels, user preferences or

- administrator rules would not require to push a new kernel. Adding these

- kind of abstract rules to a firewall daemon would make it much more

- flexible. Even new security levels would be easy to add without kernel

- updates.

- 

- [[sysctld]]

- sysctld

- ^^^^^^^

- 

- At the moment there are sysctl settings that are not properly applied.

- This happens if the module providing the setting is not loaded at boot

- time when rc.sysinit runs or it the module gets reloaded at runtime.

- Another example is net.ipv4.ip_forward, which is needed for example for

- specific firewall settings, libvirt and also user/admin changes. If

- there are two apps or daemons enabling ip_forwarding only if needed,

- then it could happen that one of them is turning it off again without

- knowing that there is another one, that still needs it turned on.

- 

- The sysctl daemon could solve this by having an internal use count for

- settings, that will make it possible to turn it off or go to the

- previous setting again if the requester reverted the request to change

- it.

- 

- [[firewall-rules]]

- Firewall Rules

- ~~~~~~~~~~~~~~

- 

- Netfilter firewalls are always susceptible to rule ordering issues,

- because a rule does not have a fixed position in a chain. The position

- can change if other rules are added or removed in a position before that

- rule.

- 

- In the static firewall model a firewall change is recreating a clean and

- sane firewall setup limited to the features directly supported by

- system-config-firewall / lokkit. Firewall rules created by other

- applications are not integrated and s-c-fw / lokkit does not know about

- them if the customs rules file feature is not in use. Default chains are

- used and there is no safe way to add and remove rules without

- interfering with others.

- 

- The dynamic model has additional chains for the firewall features. These

- specific chains are called in a defined ordering and rules added to a

- chain could not interfere with reject or drop rules in chains that were

- called before. This makes it possible to have a more sane firewall

- configuration.

- 

- Here are example rules created by the daemon in the filter table with

- ssh, ipp-client and mdns enabled in the public zone, all other zones

- have been removed to simplify and shorten the output:

- 

- ` *filter` +

- ` :INPUT ACCEPT [0:0]` +

- ` :FORWARD ACCEPT [0:0]` +

- ` :OUTPUT ACCEPT [0:0]` +

- ` :FORWARD_ZONES - [0:0]` +

- ` :FORWARD_direct - [0:0]` +

- ` :INPUT_ZONES - [0:0]` +

- ` :INPUT_direct - [0:0]` +

- ` :IN_ZONE_public - [0:0]` +

- ` :IN_ZONE_public_allow - [0:0]` +

- ` :IN_ZONE_public_deny - [0:0]` +

- ` :OUTPUT_direct - [0:0]` +

- ` -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT` +

- ` -A INPUT -i lo -j ACCEPT` +

- ` -A INPUT -j INPUT_direct` +

- ` -A INPUT -j INPUT_ZONES` +

- ` -A INPUT -p icmp -j ACCEPT` +

- ` -A INPUT -j REJECT --reject-with icmp-host-prohibited` +

- ` -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT` +

- ` -A FORWARD -i lo -j ACCEPT` +

- ` -A FORWARD -j FORWARD_direct` +

- ` -A FORWARD -j FORWARD_ZONES` +

- ` -A FORWARD -p icmp -j ACCEPT` +

- ` -A FORWARD -j REJECT --reject-with icmp-host-prohibited` +

- ` -A OUTPUT -j OUTPUT_direct` +

- ` -A IN_ZONE_public -j IN_ZONE_public_deny` +

- ` -A IN_ZONE_public -j IN_ZONE_public_allow` +

- ` -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT` +

- ` -A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT` +

- ` -A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT`

- 

- Used is a deny/allow model to have a clear behaviour and at best no rule

- interferences. Icmp blocks for example will go to the

- IN_ZONE_public_deny chain if set for the public zone and will be handled

- before the rules in the IN_ZONE_public_allow chain.

- 

- This model makes it more easy to add or remove rules from a specific

- block without interfering with accept or drop rules from another block.

- 

- Category:FirewallD

- '''

- 

- See a typo, something missing or out of date, or anything else which can be

- improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

+ You can also find local documentation by using `firewall-cmd --help` or the man pages: `man firewalld` 

\ No newline at end of file

file modified
+154 -108
@@ -1,154 +1,200 @@ 

- = How to reset a root password

+ [[chap-how-to-reset-a-root-password]]

+ = How to Reset the root Password

  

- '''

+ Setting up a root password is one of the steps when installing Fedora.

+ If you forget, or lose, the root password, there are two common methods to reset it:

  

- [IMPORTANT]

- ======

+ * In Rescue Mode

  

- This page was automatically converted from https://fedoraproject.org/wiki/How_to_reset_a_root_password

+ * Using a Fedora Live Media (USB/DVD/CD)

  

- It is probably

  

- * Badly formatted

- * Missing graphics and tables that do not convert well from mediawiki

- * Out-of-date

- * In need of other love

+ [[sect-how-to-reset-the-password-from-emergency-or-single-user-mode]]

+ == How to reset the root password in Rescue Mode

  

+ [NOTE]

  

- Pull requests accepted at https://pagure.io/fedora-docs/quick-docs

+ ====

  

- Once you've fixed this page, remove this notice, and update

- `_topic_map.yml`.

+ Changing passwords as root does not prompt for the old password.

  

- Once the document is live, go to the original wiki page and replace its text

- with the following macro:

+ ====

  

- ....

- {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}

- ....

+ While booting the system the link:++grub2.html++[GRUB2] menu will be displayed.

+ To boot the system into rescue mode using `bash` follow these steps:

  

- ======

+ . Use the arrow keys to select the boot entry you want to edit

  

- '''

+ . Press *e* to edit that entry

  

+ . Use the arrow keys to go to the line that starts with `linux`, `linux16`, or `linuxefi`

  

- Setting up a root password is a mandatory part of a Fedora installation.

- If you forget or otherwise lose your root password, there are procedures

- to reset it.

+ . Go the the end of that line, add a space then type `rw init=/bin/bash`.

+ If your disk is encrypted, you may need to add `plymouth.enable=0`

  

- * If you have set a password for your boot loader, refer to

- link:#using-installation-cd-dvd[ this section].

- * If you want to reset the boot loader password, refer to

- link:Reset_Bootloader_Password[ these instructions].

- * If none of these scenarios apply to you, proceed to

- link:#Entering_Rescue_Mode[ the next section].

+ . Press *Ctrl-x* or *F10* to boot that entry

  

- Fedora uses _targets_ to determine the services being run when you start

- your system. Run level 1 can be used as a rescue mode. Booting Linux

- under run level 1, which is also called _single user mode_, will display

- a root prompt on bootup, from which you can reset the root password.

+ . Run the command:

+ +

+ [source,bash]

  

- [[entering-rescue-mode]]

- Entering Rescue Mode

- ~~~~~~~~~~~~~~~~~~~~

+ ----

  

- [[using-grub2]]

- Using GRUB2

- ^^^^^^^^^^^

+ passwd

  

- While booting the system the GRUB2 menu will be displayed, to boot the

- system using bash follow these steps:

+ ----

+ +

+ It will prompt you to enter the new root password twice.

  

- * Use the arrow keys to select the boot entry you want to edit

- * Press *e* to start editing that entry

- * Use the arrow keys to go to the line that starts with *linux* or

- *linux16*

- ** If you have a UEFI system it's the line that starts with *linuxefi*

- * Go the the end of that line add a space then *rw* then another space

- and *init=/bin/bash*

- ** If your disk is encrypted, you may need to add *plymouth.enable=0* as

- well

- * Press *Ctrl-x* or *F10* to boot that entry

+ . Restore the SELinux context and permissions with:

+ +

+ [source,bash]

  

- [[changing-root-password]]

- Changing root password

- ~~~~~~~~~~~~~~~~~~~~~~

+ ----

  

- As root, changing password does not ask for your old password. Run the

- command:

+ touch /.autorelabel

  

- ....

- # passwd

- ....

+ ----

  

- Enter your new root password twice. Congratulations! You now have now

- reset your root password.

+ +

  

- To make sure that selinux context of file which were now modified is

- restored properly after reboot, run:

+ [WARNING]

  

- ....

- # touch /.autorelabel

- ....

+ ====

  

- You can than reboot the machine with

+ If you do not restore the SELinux permissions, the boot process may fail.

+ You may have to do a hard-reboot and start back at step 1.

  

- ....

- # /sbin/reboot -f

- ....

+ ====

  

- [[reset-password-using-a-fedora-cddvd]]

- Reset Password Using a Fedora CD/DVD

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ . Reboot the machine with:

+ +

+ [source,bash]

  

- [[using-any-of-the-fedora-live-media]]

- Using any of the Fedora Live Media

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

+ ----

  

- * Boot the Live installation media

- * After it finishes booting and starts the live session, open a terminal

- and switch to root (using `su`, it won't ask for a password)

- * Create a directory where you can mount the filesystem of your

- installation:

+ /sbin/reboot -f

  

- `mkdir /mnt/sysimage`

+ ----

  

- * Mount the filesystem of your installation (/dev/sda1 is just an

- example, be sure to fill in the actual device node of your installation

- root */* partition):

+ The system may take a while to boot as SELinux will be relabeling its permissions on the filesystem.

+ If you see the Plymouth boot screen you can press the `ESC` key on your keyboard to view the SELinux progress.

+ Once it is complete, your system is ready and your root password has been successfully changed.

  

- `mount /dev/sda1 /mnt/sysimage`

+ [[sect-reset-password-using-the-fedora-live-media]]

+ == How to reset the root password with a Fedora Live Media

  

- * chroot to your installation:

+ [NOTE]

  

- `chroot /mnt/sysimage/`

+ ====

  

- * Change the root password:

+ To download and create a live USB of Fedora Workstation, follow the instructions on the link:++live-usb.html++[Fedora USB Live Media Quick Doc].

  

- `passwd`

+ ====

  

- * Exit from the chroot:

+ . Boot the Live installation media and choose `Try Fedora`

  

- `exit`

+ . From the desktop, open a terminal and switch to root using `su` (it won't ask for a password)

  

- That's it, simply reboot your system and then boot the installation from

- the HDD as usual.

+ . To view your hard drive device nodes, in the terminal type: `df -H`.

+ For this example we will use `/dev/sda1` for the `/boot` partition and `/dev/sda2` for the root `/` partition.

+ +

+ If you are using LVM partitions, type: `sudo lvscan` and note the `/dev` path of your root partition.

+ For this example we will use `/dev/fedora/root`.

  

- [[reset-password-when-bios-is-password-protected]]

- Reset Password When BIOS is Password Protected

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ . Create a directory for the mount point (use the `-p` option to create subdirectories):

+ +

+ [source,bash]

  

- If you cannot enter rescue mode because you forgot the BIOS password

- required to select an alternate boot device, you have three options:

+ ----

  

- * Refer to your computer's documentation for instructions on resetting

- the BIOS password in CMOS memory, usually by moving a physical jumper.

- * Physically change the boot order.

- * Temporarily move the system hard disk to another machine, and follow

- the procedures above to reset the root password.

+ mkdir -p /mnt/sysimage/boot

  

- Category:How_to

- '''

+ ----

  

- See a typo, something missing or out of date, or anything else which can be

- improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

+ . Mount the `/` (root) partition (be sure to use the actual device node or LVM path of your root `/` partition):

+ +

+ To mount root on a *standard partition* scheme enter:

+ +

+ [source,bash]

+ 

+ ----

+ 

+ mount /dev/sda2 /mnt/sysimage 

+ 

+ ----

+ +

+ To mount root on an *LVM partition* scheme enter:

+ +

+ [source,bash]

+ 

+ ----

+ 

+ mount /dev/fedora/root /mnt/sysimage

+ 

+ ----

+ 

+ . Continue the process by mounting `/boot`, `proc`, `/dev`, and `/run` with:

+ +

+ [source,bash]

+ 

+ ----

+ 

+ mount /dev/sda1 /mnt/sysimage/boot

+ 

+ mount -t proc none /mnt/sysimage/proc

+ 

+ mount -o bind /dev /mnt/sysimage/dev

+ 

+ mount -o bind /run /mnt/sysimage/run

+ 

+ ----

+ 

+ . `chroot` to the mounted root partition with:

+ +

+ [source,bash]

+ 

+ ----

+ 

+ chroot /mnt/sysimage /bin/bash

+ 

+ ----

+ 

+ . Change the root password:

+ +

+ [source,bash]

+ 

+ ----

+ 

+ passwd

+ 

+ ----

+ 

+ . Exit out of chroot with:

+ +

+ [source,bash]

+ 

+ ----

+ 

+ exit

+ 

+ ----

+ +

+ and exit out of the terminal.

+ 

+ . Reboot your system and boot from the hard drive.

+ 

+ Congratulations, your root password has been successfully changed.

+ 

+ [[sect-additional-troubleshooting]]

+ == Additional Troubleshooting

+ 

+ . If you cannot enter rescue mode because you forgot the Firmware/BIOS password here are some options:

+ 

+ .. Refer to your computer's documentation for instructions on resetting the Firmware/BIOS password in CMOS memory.

+ 

+ .. Temporarily move the system hard disk to another machine, and follow the procedures above to reset the root password.

+ 

+ . If you have set a password for your boot loader, refer to link:++creating-and-using-a-live-installation-image.html++[Creating and Using a Live Installation Image].

+ 

+ . If you want to reset the boot loader password, refer to the instructions on how to link:++https://fedoraproject.org/wiki/Reset_Bootloader_Password++[Reset the Bootloader Password]. 

\ No newline at end of file

file modified
+65 -157
@@ -1,176 +1,84 @@ 

+ [[ch-Upgrading]]

  = Upgrading

  

- '''

- 

  [IMPORTANT]

- ======

+ ====

  

- This page was automatically converted from https://fedoraproject.org/wiki/Upgrading

+ . Be sure to *back-up your data* before upgrading your Fedora system in the event something breaks and leaves your system unusable.

+ . Read the link:++https://fedoraproject.org/wiki/Releases#Current_Supported_Releases++[Release

+ Notes] carefully before attempting an upgrade.

  

- It is probably

+ ====

  

- * Badly formatted

- * Missing graphics and tables that do not convert well from mediawiki

- * Out-of-date

- * In need of other love

  

+ [[sect-upgrading-to-the-next-fedora-workstation-release]]

+ == Upgrading to the next Fedora Workstation release

  

- Pull requests accepted at https://pagure.io/fedora-docs/quick-docs

+ As of Fedora Workstation 23, when the next stable release is available a graphical notification will appear similar to the update notifications.

+ Clicking this, or running the _Software_ application and going to the _Updates_ pane, will display a simple graphical interface for upgrading the system.

+ It will download the upgrade files, then prompt for a reboot to install them, similar to a system update.

+ When the upgrade is complete, the system will automatically reboot into the new release.

  

- Once you've fixed this page, remove this notice, and update

- `_topic_map.yml`.

+ image:Upgradef24f25-gs.png[Upgradef24f25-gs.png,title="Upgradef24f25-gs.png",width=640]

  

- Once the document is live, go to the original wiki page and replace its text

- with the following macro:

+ [[sect-upgrading-using-the-dnf-system-upgrade-plugin]]

+ == Upgrading using the DNF System Upgrade plugin

  

- ....

- {{#fedoradocs: https://docs.fedoraproject.org/whatever-the-of-this-new-page}}

- ....

+ This method is used to upgrade Fedora Workstation from the command-line.

+ It is also used to troubleshoot issues with packages preventing the graphical method from upgrading.

  

- ======

+ For instructions on upgrading with the DNF system upgrade plugin, refer to the link:++dnf-system-upgrade.html++[DNF System Upgrade Quick Doc].

  

- '''

+ [[sect-upgrading-the-fedora-atomic-host-via-rpm-ostree]]

+ == Upgrading the Fedora Atomic Host via rpm-ostree

  

+ For instructions on upgrading Fedora Atomic Host installations between Fedora releases, refer to the link:++atomic-host-upgrade.html++[Atomic Host Upgrade Quick Doc].

  

- [[upgrading-fedora-workstation]]

- Upgrading Fedora Workstation

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ [[sect-can-i-upgrade-between-fedora-releases-using-only-dnf]]

+ == Can I upgrade between Fedora releases using only DNF?

  

- Fedora Workstation 23 and later include a graphical system upgrade

- mechanism. When a newer stable release is available, you should see a

- graphical notification, similar to the ones you see for system updates.

- Clicking this, or running the _Software_ application and going to the

- _Updates_ pane, should show you a simple graphical interface for

- upgrading the system. It will first download the upgrade files, then

- prompt you to reboot the system and install them, again in similar

- fashion to a system update. When the upgrade is complete, the system

- will reboot again to the new release.

+ Upgrading between Fedora releases without the link:++dnf_system_upgrade.html++[DNF system upgrade plugin] is not tested by the Fedora QA team.

+ Any issues using this method are not considered blockers for a release but in practice works for many users.

  

- image:Upgradef24f25-gs.png[Upgradef24f25-gs.png,title="Upgradef24f25-gs.png",width=640]

+ [[sect-can-i-update-from-a-pre-release-alpha-beta-or-other-development-snapshot-to-the-final-release]]

+ == Can I update from a pre-release (Alpha, Beta, or other development snapshot) to the final release?

  

- [[upgrading-with-dnf-system-upgrade-plugin]]

- Upgrading with DNF system upgrade plugin

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- For instructions on upgrading with the DNF system upgrade plugin, refer

- to link:DNF_system_upgrade[the dedicated page]. This mechanism can also

- be used for Fedora Workstation upgrades if you prefer a command-line

- tool or if you need to try and analyze some kind of package issue that

- seems to be preventing the graphical method from working.

- 

- [[online-rebases-for-fedora-atomic-host-via-rpm-ostree]]

- Online rebases for

- https://getfedora.org/en/cloud/download/atomic.html[Fedora Atomic Host]

- via rpm-ostree

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- For instructions on upgrading Fedora Atomic Host installations between

- Fedora releases, refer to link:Atomic_Host_upgrade[the dedicated page].

- 

- [[online-upgrade-with-pure-dnf]]

- Online upgrade with pure DNF

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- Upgrading from one release to the next using directly, without the DNF

- system upgrade plugin, is not explicitly tested by Fedora QA and issues

- with it are not considered blockers for a release, but in practice it

- works for many users. To learn more, refer to

- link:Upgrading_Fedora_using_package_manager[Upgrading Fedora using dnf].

- 

- [[updating-from-a-pre-release-alpha-beta-or-other-development-snapshot-to-the-final-release]]

- Updating from a pre-release (Alpha, Beta, or other development snapshot)

- to the final release

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- If you are using a pre-release of Fedora, and want to know more about

- upgrading to the final release, refer to

- link:Upgrading_from_pre-release_to_final[Upgrading from pre-release to

- final]. This is not technically an 'upgrade' operation, it is simply an

- update, but there are some special considerations involved in making

- sure you stay on the update track you intend to use, which are

- documented on this page.

- 

- [[tips]]

- Tips

- ~~~~

- 

- * Ensure you have a good backup of your data.

- 

- * Ensure you read the

- http://docs.fedoraproject.org/en-US/Fedora/%7B%7BFedoraVersionNumber%7D%7D/html/Release_Notes/[Release

- Notes] carefully before attempting an upgrade.

+ If you are using a pre-release of Fedora, and want to know more about upgrading to the final release, refer to the

+ link:++https://fedoraproject.org/wiki/Upgrading_from_pre-release_to_final++[Upgrading from pre-release to final] page.

+ This is technically not an 'upgrade' operation, but an update.

+ There are some special considerations involved in making sure you stay on the update track you intend to use, which are documented on that page.

+ 

+ [[sect-how-do-i-upgrade-to-rawhide-and-branched]]

+ == How do I upgrade to Rawhide and Branched?

+ 

+ link:++https://fedoraproject.org/wiki/Releases/Rawhide++[Rawhide] and link:++https://fedoraproject.org/wiki/Releases/Branched++[Branched] are the development releases of Fedora.

+ They are suitable for users developing or testing Fedora before public release.

+ They are *NOT SUITABLE* for regular day-to-day use unless you are a fairly experienced user, and certainly not suitable for mission-critical use.

+ You should read through those pages carefully before deciding to run Branched or Rawhide.

+ See the link:++fedora-life-cycle.html++[Fedora Life Cycle Quick Doc] for more information on how the whole Fedora cycle works from Rawhide, to Branched, to the milestone releases (Alpha and Beta), to a 'final' release.

+ 

+ Upgrading to a Branched release or to Rawhide can be done with the link:++dnf_system_upgrade.html++[DNF system upgrade plugin].

+ Carefully read this page as there are some special notes to ensure a successful upgrade.

+ 

+ [[sect-can-i-upgrade-using-the-fedora-installer-anaconda]]

+ == Can I upgrade using the Fedora installer (anaconda)?

+ 

+ Fedora releases up to Fedora 17 included upgrade functionality in the Fedora installer, anaconda.

+ This can be a better choice than a package manager upgrade for some End Of Life (EOL) upgrades.

+ If you are attempting to upgrade from Fedora 16 or older, it is highly recommended to upgrade to Fedora 16 and perform an installer upgrade from Fedora 16 to Fedora 17 before upgrading any further.

+ 

+ To upgrade using the installer, boot the system from a network install or DVD image for the target release, and run through the initial steps of the install process.

+ After you select storage devices the installer should offer you the option to upgrade the installed system.

+ 

+ [IMPORTANT]

+ ====

+ 

+ If your installation is located on a 'specialized' storage device, be sure to configure and select it.

+ 

+ ====

+ 

+ [[sect-upgrading-from-end-of-life-releases]]

+ == Can I upgrade from an End Of Life (EOL) release?

  

- [[upgrading-to-rawhide-and-branched]]

- Upgrading to Rawhide and Branched

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- link:Releases/Rawhide[Rawhide] and link:Releases/Branched[Branched] are

- the development releases of Fedora. They are suitable for people who are

- developing or testing Fedora before broad public release. They are *NOT

- SUITABLE* for regular day-to-day use unless you are a fairly experienced

- user, and certainly not suitable for mission-critical use. You should

- read through those pages carefully before deciding to run Branched or,

- particularly, Rawhide. See link:Fedora_Release_Life_Cycle[Fedora Release

- Life Cycle] for more information on how the whole Fedora cycle works

- from Rawhide, to Branched, to the milestone releases (Alpha and Beta),

- to a 'final' release.

- 

- If you are sure you want to do it, upgrading to a Branched release or to

- Rawhide can be done with link:DNF_system_upgrade[DNF system upgrade]

- just like upgrading to a newer stable release. There are just a couple

- of special notes that are covered in the instructions.

- 

- [[upgrading-from-end-of-life-releases]]

- Upgrading from link:End_of_life[End of life] releases

- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 

- Note that Fedora strongly recommends against ever running an end-of-life

- release on any production system, or any system connected to the public

- internet, in any circumstances. You should never allow a production

- Fedora deployment to reach end-of-life in the first place.

- 

- With that in mind, if you do have an end-of-life release installed on a

- system you cannot just discard or re-deploy, you can attempt to upgrade

- it, though this is not officially tested or supported.

- 

- If you have Fedora 21 or later, you can try to upgrade using

- link:DNF_system_upgrade#eol[DNF system upgrade].

- 

- If you have Fedora 20 or earlier, you will have to perform at least part

- of the upgrade with

- link:Upgrading_from_EOL_Fedora_using_package_manager[bare ]. You can

- either use that method to upgrade to Fedora 21 or later and then use

- link:DNF_system_upgrade[DNF system upgrade] to upgrade from there to a

- currently-supported release, or just use bare or for the entire upgrade

- process.

- 

- Note that when upgrading from Fedora 20 or earlier, you are both

- upgrading from an end-of-life release and using a

- not-officially-recommended upgrade mechanism; such upgrades are very

- much performed 'at your own risk' and may well require various kinds of

- manual intervention to run and clean up the upgraded system, if they

- work at all.

- 

- [[upgrading-using-the-fedora-installer-anaconda]]

- Upgrading using the Fedora installer (anaconda)

- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

- 

- Fedora releases up to Fedora 17 included upgrade functionality in the

- Fedora installer, anaconda. This can be a better choice than

- link:Upgrading_from_EOL_Fedora_using_package_manager[a package manager

- upgrade] for some EOL upgrades, especially upgrades to Fedora Core 2,

- Fedora Core 3, and Fedora 17. If you are attempting to upgrade from

- Fedora 16 or older, it is highly recommended to upgrade to Fedora 16 and

- then perform an installer upgrade from Fedora 16 to Fedora 17 before

- upgrading any further.

- 

- To upgrade using the installer, boot the system from a network install

- or DVD image for the target release, and run through the initial steps

- of the install process. After you select storage devices - if your

- install is located on a 'specialized' storage device, ensure to

- configure and select it - the installer should offer you the option to

- upgrade the installed system.

- '''

- 

- See a typo, something missing or out of date, or anything else which can be

- improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.

+ Fedora strongly discourages running an end-of-life release on any production system, or any system connected to the public internet.

+ For more information, see the link:++dnf_system_upgrade.html++[DNF System Upgrade Quick Doc].

no initial comment

Greetings from docs-ci! The temporary URL for this PR is ready at: http://fedora-docs-quick-docs-pr37-fedora-docs.apps.ci.centos.org

BuildID: 142

@sassam would you mind splitting this PR if these articles don't require each other. Also, can you rebase this? I am happy to help with both.

@sassam would you mind splitting this PR if these articles don't require each other. Also, can you rebase this? I am happy to help with both.

Hi @bex, sorry for the delay in replying. Is there an easy way to split the PRs without having to remove the fork? Also, how do I rebase? I did a git rebase origin/master but I'm not seeing any changes to the local files. I'm sorry for the elementary questions, but I'm not yet in-tuned with how git works. It's still a bit confusing. I appreciate any help you can give me.

Hi @bex, sorry for the delay in replying.

no worries

Is there an easy way to split the PRs without having to remove the fork?

Depending on what needs splitting, I would rebase first.

Rebasing should work like this if your remote to the upstream is called, upstream.

git checkout master
git fetch upstream
git rebase -i upstream/master
<there should be no conflicts>
git checkout sassam-quickdocs
git rebase -i master
<resolve conflicts if any>

Then something like this to split the PR:

git checkout sassam-quickdocs
git checkout -b NEW-BRANCH-NAME
<edit this to contain only the edits to contain a logical grouping of edits>
git add ...
git commit 
<at this point you may want to squash commits to get it down to one commit.  that is:
git rebase -i master
change everything after the first line from "pick" to "s">
git push -u origin NEW-BRANCH-NAME
<create a new PR>

Repeat that for each logical group of edits but the last one. For the last one, clean up this branch. Something like:

git checkout sassam-quickdocs
<edit this to contain only the edits to contain a logical grouping of edits>
git add ...
git commit 
<at this point you may want to squash commits to get it down to one commit.  that is:
git rebase -i master
change everything after the first line from "pick" to "s">
git push -f origin sassam-quickdocs
<The PR is auto update, but may need a comment from you to tell other humans it is ready for review again>

Also, how do I rebase? I did a git rebase origin/master but I'm not seeing any changes to the local files. I'm sorry for the elementary questions, but I'm not yet in-tuned with how git works. It's still a bit confusing. I appreciate any help you can give me.

see above. Let me know if that works or if we need some synchronous time.

Thank you for the guide @bex. I'm starting to understand the flow and functionality of git more clearly now. Everything looks good and the documents have been separated into individual PRs. I will alert the masses for review. Cheers!

Closing this as hte split prs have merged.

Pull-Request has been closed by bex

5 years ago