-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: restart firewalld before checking ports status #412
Conversation
tests_imuxsock_files.yml on el10 leaves firewalld in a really strange state such that when started it reports and firewall-cmd fails because firewalld is not listening to dbus. Restaring firewalld here seems to clear the condition. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
15bc199
to
8e842b1
Compare
[citest] |
It sounds like when firewalld is started |
I previously had the results for el9, not el10. el10 results are coming. |
centos-10:
dbus.socket
firewalld is installed at 09:41:50
and started at 09:41:54
|
That looks like dbus starts before firewalld is installed (and thus firewalld's dbus policy). So when firewalld attempts to claim the bus it's rejected. |
ok, but is this some new behavior in el10? Because I don't see this issue on fedora, el9, or earlier. |
I don't think so. I don't see any Is it possible that for fedora, el9, etc. that the dbus policy was already in place? |
Maybe - will have to check - but if so, then we have been "getting lucky" all this time in the firewall role, and the actual fix is to change the firewall role like this: https://github.com/linux-system-roles/firewall/blob/main/tasks/firewalld.yml#L32
@erig0 wdyt? |
I think it's an acceptable quick fix. I would expect this to be a common RPM scenario and thus have existing |
@richm restarting D-Bus message broker (original implementation or dbus-broker) is not supported during system runtime as it may have various negative consequences for software which is not able to deal with this (which is most dbus clients unfortunately). IOW, you certainly don't want restart but reload. |
Right. A reload should work. |
@msekletar @erig0 ok - but - why is this now necessary in el10 after restarting journald? on el9 and earlier the code works fine even after restarting journald - on el10 it works fine if I do not restart journald |
I have no idea. |
@msekletar for context - the problem only happens after the logging test that configures rsyslog to listen to /dev/log, then restores journald to listen to /dev/log - https://github.com/linux-system-roles/logging/blob/main/tests/tests_imuxsock_files.yml#L107 - something about that restore process messes up firewalld listening to dbus - and it is only a problem on el10 - works fine on el9 and earlier |
@richm In general there is a bad design choice in D-Bus when it comes to handling configuration. It is loaded automatically and asynchronously based on inotify notification. You install the package which drops the policy and then you proceed with immediate start of the service then you might run into this problem. If you want to 100% avoid it you must reload D-Bus before attempting to start the service. Why it happens now and wasn't happening previously I don't know but potential for the race was always there I think. |
So we need to have something like this in every single system role that manages a dbus service?
? |
IMO, this should be fixed at the RPM/packaging level... or dbus itself considers a reload of policies when a bus claim is rejected due to policy. The latter may be DoS-y though. |
I agree, global posttrans file trigger might be the first step. Also maybe there is something to be addressed on D-Bus side. |
Closing in favor of #416 |
tests_imuxsock_files.yml on el10 leaves firewalld in a really strange
state such that when started it reports
and firewall-cmd fails because firewalld is not listening to dbus.
ERROR: Exception DBusException: org.freedesktop.DBus.Error.AccessDenied: Request to own name refused by policy
Restaring firewalld here seems to clear the condition.
Signed-off-by: Rich Megginson rmeggins@redhat.com