Bug 7722 - tl-setup automatic configuration of lokkit firewall exceeds systemd iptables.service start burst limiter
Summary: tl-setup automatic configuration of lokkit firewall exceeds systemd iptables....
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server Installer (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.13.0
Assignee: William Sjöblom
URL:
Keywords: nikle_tester, relnotes
Depends on:
Blocks:
 
Reported: 2021-06-08 10:28 CEST by William Sjöblom
Modified: 2021-06-09 13:30 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description William Sjöblom cendio 2021-06-08 10:28:33 CEST
When running tl-setup (4.12.1 and development builds) on a RHEL7
system with firewalld replaced with lokkit we get the following
error in /var/log/tlsetup.log:

> Creating firewall service 'tlwebaccess' using ports 300:TCP
> Enable firewall service 'tlwebaccess'
> Creating firewall service 'tlwebadm' using ports 1010:TCP
> Enable firewall service 'tlwebadm'
> Creating firewall service 'tlmaster' using ports 9000:TCP
> Enable firewall service 'tlmaster'
> Creating firewall service 'tlagent' using ports 904:TCP
> Enable firewall service 'tlagent'
> Enable system firewall service 'ssh'
> Failed to reload firewall configuration
>     Failed to start iptables.
>     Failed to start ip6tables.

This stems from us doing a burst of calls to lokkit which in turn
results in another burst of restarts of the iptables/ip6tables
systemd services. systemd limits service burst restarts to 5
within a 10 second interval. We hit this ceiling which results in
the iptables/ip6tables services dying and in turn the lokkit
firewall being disabled.
Comment 2 William Sjöblom cendio 2021-06-08 16:05:06 CEST
A fix has now been implemented. The changes are to be tested on RHEL7 since later RHEL versions exclusively use firewalld instead of lokkit.

To install lokkit, remove firewalld, and finally enable lokkit on a RHEL7 machine: 
> # yum install lokkit
> # yum remove firewalld
> # lokkit --enabled

Running tl-setup on the system should result in the ports used by ThinLinc being marked as ACCEPT in iptables and should all be using TCP:
> # iptables -L
Comment 4 Niko Lehto cendio 2021-06-09 13:30:05 CEST
Tested as described in comment #2, with build 2122 on RHEL 7. Looks good!
Release notes also look good.

Note You need to log in before you can comment on or make changes to this bug.