[RHELC-1180] OL 8: Prevent conversion failure with firewalld running

[r0x0d]

Firewalld is having problems with the python-nftables package after we replace the packages in the system to their rhel counterparts. This commit introduces a way to check if firewalld is running and the CleanupModulesOnExit firewalld option is enabled, and if so, we ask the user to disable the option.

If firewalld is left running with the option on during the conversion, the user will see a set of errors happening in the systemctl logs for firewalld and they will be unable to ssh into the machine after the conversion is done.

Jira Issues: RHELC-1180

Checklist

• PR has been tested manually in a VM (either author or reviewer)
• Jira issue has been made public if possible
• [RHELC-] is part of the PR title
• GitHub label has been added to help with Release notes
• PR title explains the change from the user's point of view
• Code and tests are documented properly
• The commits are squashed to as few commits as possible (without losing data)
• When merged: Jira issue has been updated to Release Pending if relevant

[codecov]

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (44483f6) 93.87% compared to head (28d8493) 93.77%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #953      +/-   ##
==========================================
- Coverage   93.87%   93.77%   -0.10%     
==========================================
  Files          46       47       +1     
  Lines        4296     4340      +44     
  Branches      755      766      +11     
==========================================
+ Hits         4033     4070      +37     
- Misses        188      192       +4     
- Partials       75       78       +3     

Flag	Coverage Δ
centos-linux-7	88.70% <59.57%> (-0.33%)	⬇️
centos-linux-8	89.76% <85.10%> (-0.06%)	⬇️
centos-linux-9	89.83% <85.10%> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
...nvert2rhel/actions/pre_ponr_changes/transaction.py	100.00% <ø> (ø)
convert2rhel/systeminfo.py	97.08% <100.00%> (ø)
...ions/system_checks/check_firewalld_availability.py	84.09% <84.09%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[has-bot]

/packit test --labels tier0

---

@oamg/conversions-qe please review results and provide ack.

Log | Bot Usage

[r0x0d]

/packit test

[has-bot]

/packit test

---

@oamg/conversions-qe please review results and provide ack.

Log | Bot Usage

[has-bot]

/packit test --labels sanity

---

@oamg/conversions-qe please review results and provide ack.

Log | Bot Usage

[kokesak]

/packit test

[mportman12]

Left suggested edits.

[danmyway]

A couple of nitpicks, otherwise looks, good, thank you!

[kokesak]

/packit test

[danmyway]

/packit test

[danmyway]

LGTM, thanks!

[danmyway]

/packit retest-failed

[kokesak]

/packit test

[r0x0d]

/packit test

[kokesak]

/packit test

[kokesak]

Not a PR blocker, but: If none of the above condition is true, then this message is printed.

Scenario:

• we are on oracle8.8
• the firewalld is running
• the config file contains the CleanupModulesOnExit=no
  then all the ifs are skipped and no default return is present, so the logger.info("Skipping the check as it is relevant only for Oracle Linux 8.8 and above.") is printed even though we are on 8.8 :D

14:28:50             out: [2023-10-30T14:28:50+0000] TASK - [Prepare: Gather system information] *******************************
14:28:50             out: [2023-10-30T14:28:50+0000] DEBUG - Calling command 'uname -i'
14:28:50             out: Skipping the execution of 'rpm -Va'.
14:28:50             out: [2023-10-30T14:28:50+0000] DEBUG - Calling command 'uname -r'
14:28:50             out: [2023-10-30T14:28:50+0000] DEBUG - Booted kernel VRA (version, release, architecture): 4.18.0-477.27.1.el8_8.x86_64
14:28:50             out: Checking internet connectivity using address 'https://static.redhat.com/test/rhel-networkmanager.txt'.
14:28:50             out: Successfully connected to address 'https://static.redhat.com/test/rhel-networkmanager.txt', internet connection seems to be available.
14:28:50             out: [2023-10-30T14:28:50+0000] DEBUG - Calling command '/usr/bin/systemctl show -p ActiveState dbus'
14:28:50             out: Name:                Oracle Linux Server
14:28:50             out: OS version:          8.8
14:28:50             out: Architecture:        x86_64
14:28:50             out: Config filename:     oracle-8-x86_64.cfg
14:28:53             out: 
14:28:53             out: [2023-10-30T14:28:53+0000] TASK - [Prepare: Clear YUM/DNF version locks] *****************************
14:28:53             out: Usage of YUM/DNF versionlock plugin not detected.
14:28:53             out: 
14:28:53             out: [2023-10-30T14:28:53+0000] TASK - [Prepare: Clean yum cache metadata] ********************************
14:28:53             out: [2023-10-30T14:28:53+0000] DEBUG - Calling command 'yum clean metadata --enablerepo=* --quiet'
14:28:53             out: [2023-10-30T14:28:53+0000] DEBUG - Output of yum clean metadata:
14:28:53             out: 
14:28:53             out: Cached repositories metadata cleaned successfully.
14:28:53             out: 
14:28:53             out: [2023-10-30T14:28:53+0000] TASK - [Prepare: Check whether system is ready for conversion] ************
14:28:53             out: 
14:28:53             out: [2023-10-30T14:28:53+0000] TASK - [Prepare: Check that firewalld is running] *************************
14:28:53             out: [2023-10-30T14:28:53+0000] DEBUG - Calling command '/usr/bin/systemctl show -p ActiveState firewalld'
14:28:53             out: [2023-10-30T14:28:53+0000] DEBUG - CleanupModulesOnExit option is disabled in /etc/firewalld/firewalld.conf
14:28:53             out: Skipping the check as it is relevant only for Oracle Linux 8.8 and above.
14:28:53             out: CHECK_FIREWALLD_AVAILABILITY has succeeded

http://artifacts.osci.redhat.com/testing-farm/cfa41dc4-a364-4e38-9237-b41e280da9dc/work-rhsmf6bxgaaj/log.txt

[danmyway]

Just couple of nitpicks, we can discuss and revisit later @kokesak.
I wouldn't block the merge on this.

[danmyway]

I would rather see this hardcoded than imported TBH.

[danmyway]

Suggested change

	Verify that on the OL8.8 the conversion is inhibited due to
	running firewalld on the system and the `CleanupModulesOnExit` configuration
	option is set to `yes` in firewalld configuration file.
	The reference ticket: https://issues.redhat.com/browse/RHELC-1180
	Verify that on the OL8.8 the conversion is inhibited with the firewalld system unit
	running on the system with the `CleanupModulesOnExit` configuration
	option is set to `yes` in the firewalld configuration file.
	The reference ticket: https://issues.redhat.com/browse/RHELC-1180

[danmyway]

This might be tricky, I mean we have more or less the system under our control, but if for whatever reason the Oracle changes this, we won't match and the test will fail too soon.
I would either backup the original and provide our own config with the option disabled, or try regex matching more variants.

[danmyway]

This might be unnecessary since we check for the WARNING in the c2r runtime already.

[danmyway]

Suggested change

	Running conversion when firewalld is running and the proper configuration option is used.
	Running firewalld remediation

[danmyway]

Same as in the other case, I would rather see this hardcoded than imported.

[danmyway]

Suggested change

	@pytest.mark.test_firewalld_config
	def test_firewalld_config_ol8(shell, convert2rhel):
	@pytest.mark.test_running_firewalld_remediation
	def test_running_firewalld_remediation_ol8(shell, convert2rhel):

[danmyway]

Suggested change

	if not os.path.exists(FIREWALLD_CONFIG_FILE):
	pytest.fail("Firewalld configuration file does not exist")
	if not os.path.exists(FIREWALLD_CONFIG_FILE):
	pytest.fail("Firewalld configuration file does not exist")

This might come and bite us in the future.
Consider this being not so probable edge case, but if for whatever reason a new image will be provided without the config, the test will fail at this point providing no valid results.
Firewalld will fall back to a default option in case no config file is provided, that being CleanupModulesOnExit=yes.

[danmyway]

This will fail if we fail to match CleanupModulesOnExit=yes.
We might consider the suggestion from the other (non-destructive) test case. To provide and copy over our own config file and back up the existing one.

[danmyway]

Not sure why this is here.
If there would be a traceback, the c2r.exitstatus won't return 0.
On the other hand we might evaluate occurences of traceback in the logfile in one of the checks after conversion, which scans through the log file.

[bocekm]

$ ipython
In [1]: lines = ["option", "#option"]
In [2]: for line in lines:
   ...:     print(line.strip().startswith("option"))
True
False

This is what I meant. When the line starts with # or ;, the startswith("CleanupModulesOnExit") returns False.

[bocekm]

Suggested change

	" sed -i -- 's/CleanupModulesOnExit=yes/CleanupModulesOnExit=no/g' /etc/firewalld/firewalld.conf\n && firewall-cmd --reload."
	" You can change the option back to yes after the system reboot "
	" sed -i -- 's/^CleanupModulesOnExit.*/CleanupModulesOnExit=no/g' /etc/firewalld/firewalld.conf\n && firewall-cmd --reload\n"
	"You can change the option back to yes after the system reboot "

This is safer as it ignores the line if commented out (^) and it replaces the line even when it's not exactly CleanupModulesOnExit=yes because CleanupModulesOnExit = True is legit as well.