#805 Freeze break request for firewalld
Closed None Opened 12 years ago by twoerner.

Hello,

firewalld is not in the core goup in comps for F17. It should replace iptables and ip6tables services to be the default firewall solution in F-17.

The dependency tree was large because of a perl requirement of ebtables, but I already fixed ebtables and changed the services for iptables and ip6tables. Packages are build and for ebtables there is already an bodhi update. I will also add the new iptables and ip6tables packages to bodhi.

firewalld adds these additonal (mostly small) requirements to the core group:

dbus-glib
dbus-python
ebtables
libselinux-python
polkit
pygobject2
python-decorator
python-slip
python-slip-dbus

The iptables package is already part of the core group. iptables is required by firewalld.

The requirement for polkit can mostl likely also be removed similar to the systemd package. I will verify this.

Please vote in this ticket.

Thanks in advance,
Thomas


Well, for f17 it should have been enabled by default for Feature Freeze (2012-02-07)
http://fedoraproject.org/wiki/ReleaseEngineering/FeatureFreezePolicy

At this point we have made some rc's for Alpha, so it would not likely be there for Alpha. ;(

Adding QA and Rel-eng here for comment.

I guess my preference would be to defer to f18. (You can even make the comps change now!) rather than trying to rush into f17 after freeze.

As i had said to twoerner on irc when he came asking for it to be enabled. its to late for Alpha, it doesnt meet any blocker criteria to be included and missed the feature freeze by over a week. The changes could be landed in Beta, by by the letter of the policy the feature should be defered to f18, and those changes can be landed for f18 today. I did say however that it was FESCos call weather to get the feature into Beta or wait until f18.

for f18 it should be done asap.

With my FESCo hat on, I'm OK with it going in right after Alpha has gone gold.

With my FESCo hat on, I'm inclined to say that this should be bumped to F18 (sadly).

I'd feel better if it had been in by Alpha. I vote f18 as well.

To clarify my comment - it's based on the fact that the feature was in (and has been in for a while); we just haven't flipped the default.

I plan to have a fedora test day on 2012-03-15. If the response of this is not ok and there are unsolvable problems for F-17, then there would be enough time to move it.

A discussion would be probably useful - but because voting in ticket was requested, my vote is "defer to F18 if it can't be shipped in Alpha".

Yes, this was available in rawhide for some time, but the Fedora package has fallen behind the development being done. Also, at least based on how little discussion I have seen, very few people, if anyone, are currently using firewalld. Only after firewalld is enabled by default we will get any meaningful kind of testing or UI feedback.

Having a test day is definitely useful (and it's great that you have thought of that), however the prospect of having results from that test day one month in the future can't do much to influence my voting as of today.

What about moving the final decision to a date after the test day? Is adding to comps needed for the live-cd's for the test day?

It would be nice to have comment also from QA. I guess now it's late for F-17, so at the moment is it -1 from me.

== New Proposal ==

I'd like to request the firewalld-default feature to be added for beta after a successful test day. As NetworkManager is in base and not core, it should be ok to add firewalld also to base. The additional dependencies for firewalld in base should be very small.

Proposal was +4 -3 in meeting, with no votes from limburgher and mjg59.

Will revisit at next week's FESCo meeting, or tackle here pending in-ticket votes.

Sorry I missed the meeting, unexpectedly AFK all day.

I'm in favor of retargeting for f18.

+1 based on a successful test day.

So, that is +5-4, and the new proposal to add firewalld to comps and make it default after a test day is accepted, if I am not mistaken.

Note that the test day request ticket was filed and then apparently forgotten about:

https://fedorahosted.org/fedora-qa/ticket/280

twoerner filed it, j_dulaney (who's Test Day Wrangler for this cycle) replied quickly and accepted the request, asking twoerner to create a Wiki page (which is standard for test days), since then...radio silence. Doesn't seem like twoerner has either attempted to set up a test day or asked us (QA) for our help in doing it.

Replying to [comment:16 adamwill]:

Note that the test day request ticket was filed and then apparently forgotten about:

https://fedorahosted.org/fedora-qa/ticket/280

twoerner filed it, j_dulaney (who's Test Day Wrangler for this cycle) replied quickly and accepted the request, asking twoerner to create a Wiki page (which is standard for test days), since then...radio silence. Doesn't seem like twoerner has either attempted to set up a test day or asked us (QA) for our help in doing it.
First test day page online for 2012-03-19. Working on single test case pages.

https://fedoraproject.org/wiki/Test_Day:2012-03-19_firewalld (twoerner, 18:21:01)
AGREED: Proposal to have FESCO test firewalld and vote in ticket is passed (+7,-:0,0:0) (limburgher, 18:28:31)
AGREED: Add firewalld to comps now passed (+5,-:2,0:0) (limburgher, 18:43:40)

For the record, I ran through the Test Day tests successfully, so I give a +1 to including it in comps.

I run two first tests, which I can do in my virtual machine. I'm unsure about some test cases. For example the second is still using iptables-save, which is confusing.

Test matrix looked good, so it's probably good that we accepted the firewalld.

Login to comment on this ticket.

Metadata