Merge pull request #653 from mchf/fw_first_stage

Firewall in first stage
yast · Aug 13, 2020 · a85a44e · a85a44e
2 parents dbceebb + 8cbe94c
commit a85a44e
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 1 deletion.
diff --git a/package/autoyast2.changes b/package/autoyast2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Aug 13 07:04:06 UTC 2020 - Michal Filka <mfilka@suse.com>
+
+- bsc#1173624
+  - Run firewall configuration in first stage
+- 4.3.35
+
 -------------------------------------------------------------------
 Tue Aug 11 10:13:57 CEST 2020 - schubi@suse.de
 

diff --git a/package/autoyast2.spec b/package/autoyast2.spec
@@ -22,7 +22,7 @@
 %endif
 
 Name:           autoyast2
-Version:        4.3.34
+Version:        4.3.35
 Release:        0
 Summary:        YaST2 - Automated Installation
 License:        GPL-2.0-only

diff --git a/src/lib/autoinstall/autosetup_helpers.rb b/src/lib/autoinstall/autosetup_helpers.rb
@@ -197,8 +197,44 @@ def profile_checker
       Y2Autoinstallation::XmlChecks.instance
     end
 
+    # Invokes autoyast setup for firewall
+    def autosetup_firewall
+      return if !Yast::Profile.current["firewall"]
+
+      # in some cases we need to postpone firewall configuration to the second stage
+      # we also have to guarantee that firewall is not blocking second stage in this case
+      firewall_section = if need_second_stage_run?
+        { "enable_firewall" => false }
+      else
+        Yast::Profile.current["firewall"]
+      end
+
+      log.info("Importing Firewall settings from AY profile")
+      Yast::WFM.CallFunction("firewall_auto", ["Import", firewall_section])
+
+      Yast::Profile.remove_sections("firewall") if !need_second_stage_run?
+    end
+
   private
 
+    # Checks whether we need to run second stage handling
+    def need_second_stage_run?
+      Yast.import "Linuxrc"
+
+      profile = Yast::Profile.current
+
+      # We have a problem when
+      # 1) running remote installation
+      # 2) second stage was requested
+      # 3) firewall was configured (somehow) and started via AY profile we can expect that
+      # ssh / vnc port can be blocked.
+      remote_installer = Yast::Linuxrc.usessh || Yast::Linuxrc.vnc
+      second_stage_required = profile.dig("general", "mode", "second_stage")
+      firewall_enabled = profile.dig("firewall", "enable_firewall")
+
+      remote_installer && second_stage_required && firewall_enabled
+    end
+
     def utf8_supported?
       (Yast::UI.GetDisplayInfo || {}).fetch("HasFullUtf8Support", true)
     end

diff --git a/src/lib/autoinstall/clients/inst_autosetup.rb b/src/lib/autoinstall/clients/inst_autosetup.rb
@@ -365,6 +365,11 @@ def main
           end
         end
 
+        #
+        # Run firewall configuration according to the profile
+        #
+        autosetup_firewall
+
         # Results of imported values semantic check.
         return :abort unless AutoInstall.valid_imported_values
 

diff --git a/test/lib/autosetup_helpers_test.rb b/test/lib/autosetup_helpers_test.rb
@@ -242,6 +242,47 @@ class DummyClient < Yast::Client
 
   end
 
+  describe "#autosetup_firewall" do
+    let(:profile) { { "firewall" => firewall_section } }
+    let(:firewall_section) { { "default_zone" => "external" } }
+
+    before(:each) do
+      Yast::Profile.current = profile
+      Yast::AutoinstConfig.main
+
+      allow(Yast::WFM).to receive(:CallFunction).with("firewall_auto", anything)
+    end
+
+    context "when a firewall section is present in the profile" do
+      context "when no second stage run is needed" do
+        before(:each) do
+          allow(client).to receive(:need_second_stage_run?).and_return(false)
+        end
+
+        it "removes the firewall section from the profile" do
+          client.autosetup_firewall
+          expect(Yast::Profile.current.keys).to_not include("firewall")
+        end
+      end
+
+      context "when second stage run is needed" do
+        before(:each) do
+          allow(client).to receive(:need_second_stage_run?).and_return(true)
+        end
+
+        it "does not remove the firewall section from the profile" do
+          client.autosetup_firewall
+          expect(Yast::Profile.current.keys).to include("firewall")
+        end
+
+        it "does not corrupt the profile" do
+          client.autosetup_firewall
+          expect(Yast::Profile.current).to eql profile
+        end
+      end
+    end
+  end
+
   describe "#autosetup_network" do
     let(:profile) { networking_section }
     let(:networking_section) { { "networking" => { "setup_before_proposal" => true } } }

diff --git a/test/lib/clients/inst_autosetup_test.rb b/test/lib/clients/inst_autosetup_test.rb
@@ -81,6 +81,11 @@
       subject.main
     end
 
+    it "sets up the firewall configuration" do
+      expect(subject).to receive(:autosetup_firewall)
+      subject.main
+    end
+
     it "sets up the partitioning schema" do
       expect(Yast::AutoinstStorage).to receive(:Import).and_return(true)
       expect(Yast::AutoinstStorage).to receive(:Write).and_return(true)