Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-122741

Firewall customization works only at installation time for an edge commit

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.6
    • osbuild-composer
    • None
    • None
    • Low
    • image-builder
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      After adding firewall rules to the blueprint of an already existing edge-commit, the config file is not reflected after the `rpm-ostree upgrade`.

      Initially, the ostree does not contain any config file:

      # ll /sysroot/ostree/deploy/rhel/deploy/6013633faae4f4cd44bfd1aae14c40776e340f4621a2a11ed6e909af28236c95.0/usr/etc/firewalld/zones/
total 0

      Presumably, the defaults may have been created by firewalld at boot time (that is installed by default):

      # cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <forward/>
</zone>

      It is then seen as [A]dded by `ostree admin config-diff`:

      # ostree admin config-diff | grep firewalld
A    firewalld/zones/public.xml
A    firewalld/zones/public.xml.old

      If you update your ostree repo with a set of firewall rules in your blueprint, then `rpm-ostree upgrade` the device, that will be reflected in the default /usr/etc:

      # cat /sysroot/ostree/deploy/rhel/deploy/5987ca8b798e96719ca7bcdaff03b0b047a70a1f651d0b54e0852654d3c31a7e.1/usr/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <service name="http"/>
  <service name="ntp"/>
  <forward/>
</zone>

      But the previous files that were marked as [A]dded will be preserved, that's why they remain unchanged in /etc, and they are now marked as [M]odified:

      # ostree admin config-diff | grep firewalld
M    firewalld/zones/public.xml
M    firewalld/zones/public.xml.old

      This seems to be expected with the ostree's "three-way merge of /etc".
      A fresh install with the last edge-commit will give the expected config file allowing the inbound connections for the additional services (in this example http, ntp).

      Is this customization available at installation time only?

      What is the impact of this issue to you?

      "Preventing us rolling out a feature"

      Please provide the package NVR for which the bug is seen:

      osbuild-composer-132.2-2.el9_6.x86_64

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1/ Create an initial blueprint

      name = "edge-firewalld"
description = "edge firewalld test"
version = "0.0.1"
modules = []
groups = []
distro = ""
[[packages]]
name = "httpd"
version = "*"

      2/ Push your blueprint and start your compose

      # composer-cli blueprints push edge-firewalld.toml
# composer-cli compose start-ostree edge-firewalld edge-commit

      3/ Download and unpack the commit to your local webserver into /var/www/html/repo

      4/ Install the device with a basic kickstart (replace the URL)

      text
lang en_US.UTF-8
keyboard us
timezone UTC
zerombr
clearpart --all --initlabel
autopart
zerombr
network --bootproto=dhcp
rootpw --plaintext rootroot --allow-ssh
ostreesetup --nogpg --osname=rhel --remote=edge --url=http://192.168.124.10/repo/ --ref=rhel/9/x86_64/edge
eula --agreed
reboot

      5/ Observe the default firewall rules are defined as expected for ssh and cockpit (present in /usr/etc/firewalld/zones/public.xml and missing from /usr/usr/etc/firewalld/zones/public.xml)

      6/ Update the edge commit with the below blueprint

      name = "edge-firewalld"
description = "edge firewalld test"
version = "0.0.2"
modules = []
groups = []
distro = ""
[[packages]]
name = "httpd"
version = "*"
# adding the package for clarity (but it was already installed by default)
[[packages]]
name = "firewalld"
version = "*"
# open http and ntp ports
[customizations]
[customizations.firewall]
[customizations.firewall.services]
enabled = ["http", "ntp"]

      7/ Push the updated blueprint (v.0.0.2) and start a new compose referring to the existing image (replace the URL)

      # composer-cli compose start-ostree --url http://192.168.124.10/repo/ --ref rhel/9/x86_64/edge edge-firewalld edge-commit 

      8/ Download the image, unpack the tarball and update the local ostree repo

      # composer-cli compose image <UUID>
# tar -xf <UUID>-commit.tar -C /root
# ostree pull-local --repo=/var/www/html/repo /root/repo
17 metadata, 6 content objects imported; 0 bytes content written   
# restorecon -RFv /var/www/html/repo  

      9/ Run an `rpm-ostree upgrade` on your device and reboot

      Expected results

      http port should be allowed in firewalld.

      Actual results

      http port is still disabled in firewalld.

              osbuilders Osbuilders Bot Account
              rhn-support-cbesson Christophe Besson
              Osbuilders Bot Account Osbuilders Bot Account
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: