PR#25: rawhide: tell anaconda to leave firewall alone - fedora-lorax-templates

fedora-lorax-templates

#25 rawhide: tell anaconda to leave firewall alone

Merged 6 years ago by mohanboddu. Opened 6 years ago by dustymabe.

dustymabe/fedora-lorax-templates dusty-rawhide into master

tell anaconda to leave firewall alone

Dusty Mabe • 6 years ago

03b84dd

ostree-based-installer/lorax-configure-repo.tmpl

file modified

		`@@ -1,6 +1,7 @@`
		`## Lorax template to configure Anaconda to:`
		`## 1) Use the repository we embedded in the ISO`
		`## 2) Work around https://bugzilla.redhat.com/show_bug.cgi?id=1193590`
		`+ ## 3) Tell anaconda to leave the firewall set up as it was in the ostree`

		`## Args:`
		`## - ostree_osname - the name of the os/name of remote`
		`@@ -11,6 +12,7 @@`

		`<%page args="ostree_osname, ostree_install_repo, ostree_update_repo, ostree_install_ref, ostree_update_ref"/>`
		`append usr/share/anaconda/interactive-defaults.ks "ostreesetup --nogpg --osname=${ostree_osname} --remote=${ostree_osname} --url=file:///ostree/repo --ref=${ostree_update_ref}"`
		`+ append usr/share/anaconda/interactive-defaults.ks "firewall --use-system-defaults"`

		`append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail"`
		`append usr/share/anaconda/interactive-defaults.ks "rm -f /etc/ostree/remotes.d/${ostree_osname}.conf"`

dustymabe commented 6 years ago

Take advantage of firewall --use-system-defaults [1]
so that we can embed firewalld [2] but leave it disabled.

[1] https://github.com/rhinstaller/anaconda/pull/1271
[2] https://pagure.io/fedora-atomic/pull-request/103

walters commented 6 years ago

OK, and just to sanity check, this should leave firewalld enabled by default for FAW? It does look like the tree has it by default:

ostree ls -R fedora-27:fedora/27/x86_64/workstation /usr/etc/systemd/system|grep fir
l00777 0 0      0 /usr/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service -> /usr/lib/systemd/system/firewalld.service
l00777 0 0      0 /usr/etc/systemd/system/multi-user.target.wants/firewalld.service -> /usr/lib/systemd/system/firewalld.service

dustymabe commented 6 years ago

OK, and just to sanity check, this should leave firewalld enabled by default for FAW? It does look like the tree has it by default

actually yes!! I had not considered FAW at all in all of this, but this should work perfectly for that case. Now I'm really glad we did the extra work to get the plumbing into anaconda.

walters commented 6 years ago

LGTM, thanks!