11:21 p.m.
In order to get us going on actual development for the first iteration
of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in
February.
Feedback welcome.
While writing this up, I've reviewed the default-enabled services on the
current desktop spin. In general, things look pretty good to me. A few
things I wondered about:
- Why does cups end up running when I boot in a vm that certainly has no
printer connected ?
- Do we want fedora-readonly included ? This is coming from the
readonly-root feature, but it is off by default, and don't think it is a
tested configuration, so who knows if it works. And we're probably not
going to turn it on for the Workstation
- What is fedora-configure, and why is it installed ? It seems to be a
complicated way of triggering 'system reconfiguration' which in this
case means running a shell script as a systemd service, which in turn
runs /usr/bin/firstboot. Since /usr/bin/firstboot has been replaced by
anacondas initial-setup, I can only conclude that this functionality is
also unused, untested and not working, and should probably be removed.
Matthias
3:46 a.m.
2014-04-04 6:21 GMT+02:00 Matthias Clasen <mclasen(a)redhat.com>:
In order to get us going on actual development for the first
iteration
of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in
February.
Feedback welcome.
Will the qemu NAT networking work out of the box without a firewall?
If not, an alternative is to run the firewall but acepting all packets
4:50 a.m.
On Fri, Apr 4, 2014 at 10:46 AM, Sergio Pascual <sergio.pasra(a)gmail.com> wrote:
2014-04-04 6:21 GMT+02:00 Matthias Clasen <mclasen(a)redhat.com>:
> In order to get us going on actual development for the first iteration
> of the Workstation in F21, I've filed a first change request:
>
> https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
>
> I think this reflects the discussion around firewalls we had back in
> February.
>
> Feedback welcome.
Will the qemu NAT networking work out of the box without a firewall?
Yes works just fine without a firewall here.
5:27 p.m.
On 04/04/2014 05:50 AM, drago01 wrote:
On Fri, Apr 4, 2014 at 10:46 AM, Sergio Pascual
<sergio.pasra(a)gmail.com> wrote:
>
> 2014-04-04 6:21 GMT+02:00 Matthias Clasen <mclasen(a)redhat.com>:
>
>> In order to get us going on actual development for the first iteration
>> of the Workstation in F21, I've filed a first change request:
>>
>> https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
>>
>> I think this reflects the discussion around firewalls we had back in
>> February.
>>
>> Feedback welcome.
>
>
> Will the qemu NAT networking work out of the box without a firewall?
Yes works just fine without a firewall here.
Well, you can get away stopped/uninstalled firewalld, but iptables is
fundamentally required:
[crobinso@colepc ~]$ sudo systemctl stop firewalld.service
[crobinso@colepc ~]$ sudo systemctl stop iptables.service
[crobinso@colepc ~]$ sudo virsh net-destroy default
Network default destroyed
[crobinso@colepc ~]$ sudo virsh net-start default
error: Failed to start network default
error: failed to add iptables rule to allow DHCP requests from 'virbr0'
- Cole
6:29 p.m.
Firewalls are fine, I wonder about wireless adapters and compatability.
On Tue, Apr 8, 2014 at 6:27 PM, Cole Robinson <crobinso(a)redhat.com> wrote:
On 04/04/2014 05:50 AM, drago01 wrote:
> On Fri, Apr 4, 2014 at 10:46 AM, Sergio Pascual <sergio.pasra(a)gmail.com>
wrote:
>>
>> 2014-04-04 6:21 GMT+02:00 Matthias Clasen <mclasen(a)redhat.com>:
>>
>>> In order to get us going on actual development for the first iteration
>>> of the Workstation in F21, I've filed a first change request:
>>>
>>> https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
>>>
>>> I think this reflects the discussion around firewalls we had back in
>>> February.
>>>
>>> Feedback welcome.
>>
>>
>> Will the qemu NAT networking work out of the box without a firewall?
>
> Yes works just fine without a firewall here.
>
Well, you can get away stopped/uninstalled firewalld, but iptables is
fundamentally required:
[crobinso@colepc ~]$ sudo systemctl stop firewalld.service
[crobinso@colepc ~]$ sudo systemctl stop iptables.service
[crobinso@colepc ~]$ sudo virsh net-destroy default
Network default destroyed
[crobinso@colepc ~]$ sudo virsh net-start default
error: Failed to start network default
error: failed to add iptables rule to allow DHCP requests from 'virbr0'
- Cole
--
desktop mailing list
desktop(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop
10:59 a.m.
(ignoring firewall, answering the other questions)
Matthias Clasen (mclasen(a)redhat.com) said:
- Do we want fedora-readonly included ? This is coming from the
readonly-root feature, but it is off by default, and don't think it is a
tested configuration, so who knows if it works. And we're probably not
going to turn it on for the Workstation
It's how ovirt-node and assorted smaller images run, so it is a tested
configuration in some cases. Likely less so in the Workstation case,
obviously.
- What is fedora-configure, and why is it installed ? It seems to be
a
complicated way of triggering 'system reconfiguration' which in this
case means running a shell script as a systemd service, which in turn
runs /usr/bin/firstboot. Since /usr/bin/firstboot has been replaced by
anacondas initial-setup, I can only conclude that this functionality is
also unused, untested and not working, and should probably be removed.
As the guy that merged this way back in the day, I'm fine with it going away
in favor of something like virt-sysprep for those that need to deconfigure
their system. But I don't maintain it any more - file an initscripts bug?
Bill
6:55 p.m.
On Fri, 2014-04-04 at 11:59 -0400, Bill Nottingham wrote:
(ignoring firewall, answering the other questions)
Matthias Clasen (mclasen(a)redhat.com) said:
> - Do we want fedora-readonly included ? This is coming from the
> readonly-root feature, but it is off by default, and don't think it is a
> tested configuration, so who knows if it works. And we're probably not
> going to turn it on for the Workstation
It's how ovirt-node and assorted smaller images run, so it is a tested
configuration in some cases. Likely less so in the Workstation case,
obviously.
ah, thanks for the information.
> - What is fedora-configure, and why is it installed ? It seems
to be a
> complicated way of triggering 'system reconfiguration' which in this
> case means running a shell script as a systemd service, which in turn
> runs /usr/bin/firstboot. Since /usr/bin/firstboot has been replaced by
> anacondas initial-setup, I can only conclude that this functionality is
> also unused, untested and not working, and should probably be removed.
As the guy that merged this way back in the day, I'm fine with it going away
in favor of something like virt-sysprep for those that need to deconfigure
their system. But I don't maintain it any more - file an initscripts bug?
Filed as https://bugzilla.redhat.com/show_bug.cgi?id=1084642
Now that I'm looking at initscripts, there's a few fedora-specific
services that I find somewhat dubious.
fedora-domainname - is that still relevant ? If yes, it should probably
live with the component that handles network identify nowadays, sssd ?
fedora-loadmodules - seems redundant and should be phased out in favor
of systemd-modules-load, I'd say.
fedora-import-state - this tries to be conditionally activated when
there is state in /run/initramfs/state, but at least on my system, it
_does_ run and import an empty directory tree :-(
$ tree /run/initramfs/state/
/run/initramfs/state/
|-- etc
| `-- sysconfig
| `-- network-scripts
`-- var
`-- lib
`-- dhclient
I guess transferring network state from the initramfs will change
anyway, with networkd ante portas...
3669
days inactive
3674
days old
desktop@lists.fedoraproject.org
7 comments
6 participants
participants (6)
-
Bill Nottingham -
Cole Robinson -
drago01 -
Matthias Clasen -
Sergio Pascual -
William Remski