In order to get us going on actual development for the first iteration of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in February.
Feedback welcome.
While writing this up, I've reviewed the default-enabled services on the current desktop spin. In general, things look pretty good to me. A few things I wondered about:
- Why does cups end up running when I boot in a vm that certainly has no printer connected ?
- Do we want fedora-readonly included ? This is coming from the readonly-root feature, but it is off by default, and don't think it is a tested configuration, so who knows if it works. And we're probably not going to turn it on for the Workstation
- What is fedora-configure, and why is it installed ? It seems to be a complicated way of triggering 'system reconfiguration' which in this case means running a shell script as a systemd service, which in turn runs /usr/bin/firstboot. Since /usr/bin/firstboot has been replaced by anacondas initial-setup, I can only conclude that this functionality is also unused, untested and not working, and should probably be removed.
Matthias
2014-04-04 6:21 GMT+02:00 Matthias Clasen mclasen@redhat.com:
In order to get us going on actual development for the first iteration of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in February.
Feedback welcome.
Will the qemu NAT networking work out of the box without a firewall?
If not, an alternative is to run the firewall but acepting all packets
On Fri, Apr 4, 2014 at 10:46 AM, Sergio Pascual sergio.pasra@gmail.com wrote:
2014-04-04 6:21 GMT+02:00 Matthias Clasen mclasen@redhat.com:
In order to get us going on actual development for the first iteration of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in February.
Feedback welcome.
Will the qemu NAT networking work out of the box without a firewall?
Yes works just fine without a firewall here.
On 04/04/2014 05:50 AM, drago01 wrote:
On Fri, Apr 4, 2014 at 10:46 AM, Sergio Pascual sergio.pasra@gmail.com wrote:
2014-04-04 6:21 GMT+02:00 Matthias Clasen mclasen@redhat.com:
In order to get us going on actual development for the first iteration of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in February.
Feedback welcome.
Will the qemu NAT networking work out of the box without a firewall?
Yes works just fine without a firewall here.
Well, you can get away stopped/uninstalled firewalld, but iptables is fundamentally required:
[crobinso@colepc ~]$ sudo systemctl stop firewalld.service [crobinso@colepc ~]$ sudo systemctl stop iptables.service [crobinso@colepc ~]$ sudo virsh net-destroy default Network default destroyed
[crobinso@colepc ~]$ sudo virsh net-start default error: Failed to start network default error: failed to add iptables rule to allow DHCP requests from 'virbr0'
- Cole
Firewalls are fine, I wonder about wireless adapters and compatability.
On Tue, Apr 8, 2014 at 6:27 PM, Cole Robinson crobinso@redhat.com wrote:
On 04/04/2014 05:50 AM, drago01 wrote:
On Fri, Apr 4, 2014 at 10:46 AM, Sergio Pascual sergio.pasra@gmail.com
wrote:
2014-04-04 6:21 GMT+02:00 Matthias Clasen mclasen@redhat.com:
In order to get us going on actual development for the first iteration of the Workstation in F21, I've filed a first change request:
https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall
I think this reflects the discussion around firewalls we had back in February.
Feedback welcome.
Will the qemu NAT networking work out of the box without a firewall?
Yes works just fine without a firewall here.
Well, you can get away stopped/uninstalled firewalld, but iptables is fundamentally required:
[crobinso@colepc ~]$ sudo systemctl stop firewalld.service [crobinso@colepc ~]$ sudo systemctl stop iptables.service [crobinso@colepc ~]$ sudo virsh net-destroy default Network default destroyed
[crobinso@colepc ~]$ sudo virsh net-start default error: Failed to start network default error: failed to add iptables rule to allow DHCP requests from 'virbr0'
- Cole
-- desktop mailing list desktop@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/desktop
On Wed, Apr 9, 2014 at 1:29 AM, William Remski william.remski@gmail.com wrote:
Firewalls are fine, I wonder about wireless adapters and compatability.
What does this has to do with anything?
(ignoring firewall, answering the other questions)
Matthias Clasen (mclasen@redhat.com) said:
- Do we want fedora-readonly included ? This is coming from the
readonly-root feature, but it is off by default, and don't think it is a tested configuration, so who knows if it works. And we're probably not going to turn it on for the Workstation
It's how ovirt-node and assorted smaller images run, so it is a tested configuration in some cases. Likely less so in the Workstation case, obviously.
- What is fedora-configure, and why is it installed ? It seems to be a
complicated way of triggering 'system reconfiguration' which in this case means running a shell script as a systemd service, which in turn runs /usr/bin/firstboot. Since /usr/bin/firstboot has been replaced by anacondas initial-setup, I can only conclude that this functionality is also unused, untested and not working, and should probably be removed.
As the guy that merged this way back in the day, I'm fine with it going away in favor of something like virt-sysprep for those that need to deconfigure their system. But I don't maintain it any more - file an initscripts bug?
Bill
On Fri, 2014-04-04 at 11:59 -0400, Bill Nottingham wrote:
(ignoring firewall, answering the other questions)
Matthias Clasen (mclasen@redhat.com) said:
- Do we want fedora-readonly included ? This is coming from the
readonly-root feature, but it is off by default, and don't think it is a tested configuration, so who knows if it works. And we're probably not going to turn it on for the Workstation
It's how ovirt-node and assorted smaller images run, so it is a tested configuration in some cases. Likely less so in the Workstation case, obviously.
ah, thanks for the information.
- What is fedora-configure, and why is it installed ? It seems to be a
complicated way of triggering 'system reconfiguration' which in this case means running a shell script as a systemd service, which in turn runs /usr/bin/firstboot. Since /usr/bin/firstboot has been replaced by anacondas initial-setup, I can only conclude that this functionality is also unused, untested and not working, and should probably be removed.
As the guy that merged this way back in the day, I'm fine with it going away in favor of something like virt-sysprep for those that need to deconfigure their system. But I don't maintain it any more - file an initscripts bug?
Filed as https://bugzilla.redhat.com/show_bug.cgi?id=1084642
Now that I'm looking at initscripts, there's a few fedora-specific services that I find somewhat dubious.
fedora-domainname - is that still relevant ? If yes, it should probably live with the component that handles network identify nowadays, sssd ?
fedora-loadmodules - seems redundant and should be phased out in favor of systemd-modules-load, I'd say.
fedora-import-state - this tries to be conditionally activated when there is state in /run/initramfs/state, but at least on my system, it _does_ run and import an empty directory tree :-(
$ tree /run/initramfs/state/ /run/initramfs/state/ |-- etc | `-- sysconfig | `-- network-scripts `-- var `-- lib `-- dhclient
I guess transferring network state from the initramfs will change anyway, with networkd ante portas...
desktop@lists.fedoraproject.org